According to IDC, by 2025 there will be 41.6 billion Internet of Things (IoT) devices, generating a massive 79 zettabytes (ZB) of data. To put that into perspective, in 2006, IDC estimated that the total amount of electronic data created and stored was a mere 0.18 ZB. This growing amount of data represents a vast and exponentially increasing attack surface, which poses a huge opportunity for cybercriminals and a seemingly insurmountable task for those responsible for protecting and securing it. This task is only made more difficult by the lack of regulation and security measures being built into IoT devices at present. As IoT looks to become a foundational aspect of our everyday lives, it’s vital we, as consumers, understand the threats posed to our devices and the data they store.
Ubiquitous uncertainty – Clarifying risk
Most consumers don’t know how to protect themselves and their personal IoT devices. In fact, inadequate security has created a surge in IoT data breaches as unsecured connected devices now account for 26 percent of security incidents. Take for example the tech aisle in your local Home Depot store. Walk down it and you’re inundated by screens and flashing lights all promising to simplify and improve the functionality of your home by conveniently connecting everything to the internet. While these devices might impress your neighbors when you show them you can change the lights in your living room from your cellphone, for an experienced engineer, or more worryingly a determined hacker, this connected lightbulb simply provide another way to gain access into your home and personal network. If you don’t know how to secure them, and the device manufacturer isn’t obliged to build in security controls then each new gadget will open a new way for intruders to access your home - from connecting to your private network via a connected lamp, to entering your home by hacking an electronic locking system.
In fact, the more that devices you have connected to the internet, the more risk you are exposing yourself to. Think of electronic thermostats. If a hacker gains unauthorized access to the control system, they have the potential to put lives at risk by modulating central heating systems when they are needed most. Similarly, connected smoke alarms can be digitally tampered with, putting residents and their families at risk. These devices, that were designed to protect and simplify your life, could inadvertently enable an event or set of circumstances that put you in danger.
Regulation, mitigation and protection
While the majority of IoT devices operate with low power modes, when you combine them in the thousands, or tens of thousands as you would likely find in an office, they begin to provide a number of concerning attack vectors. These attack vectors are amplified when you consider the fact that there is a currently not enough being done to secure IoT devices from a risk and compliance perspective. In fact, there is currently very little regulation and oversight that goes into IoT devices before they are deployed in millions of homes. Only after regulation and limitations have been mandated by governments will we begin to see IoT devices that are secure by design. Currently, the more connected devices you possess, the more dangerous the distributed computing capability of rogue IoT devices becomes.
In the U.S., the state of California is leading the way with this, mandating certain levels of controls for devices sold in the state. This means manufacturers will be expected to retroactively implement security conscious changes to devices that have been sent to market. Unfortunately, without this kind of governmental pressure, most manufacturers will avoid taking responsibility for their production methods and the end users impacted by their negligence. It’s unreasonable to expect the average consumer to jump through technical hoops to ensure that the IoT devices that they purchase are secure. This means that the responsibility defaults to the manufacturers who simply must institute architectural reviews that examine back doors and potential exposure vectors. Using a unique user ID and a strong password will greatly reduce the threat, however this does not make you immune.
From biographical information to geographical location, IoT devices harbor a goldmine of highly valuable personal data, and they should be treated and protected as such. While it’s difficult to optimize software security, manufacturers aren’t even expected to meet a minimum requirement at present. This means that IoT, like many technological advancements, will become as much a risk and burden as a benefit and aide. However, this prospect should not prevent us from making our lives easier and more enjoyable. Instead we should put pressure on companies and governments to assure a baseline level of security is embedded into the manufacturing process to protect our devices, our homes and ourselves. Cybersecurity is a culture, and if we want it to improve and prioritize it, we need to initiate action from the bottom-up.