The internet of things (IoT) will be the next step in integrating even more of the real world into the web. With this step companies and consumers will be facing billions of insecure devices because of the inadequate security measures taken by the manufactures in their rush to satisfy the market.
What’s the Value of a Password?
People are eager to apply IoT devices and the shiny new possibilities weigh heavier than security concerns, observes Security advisor Dave Lewis and quotes a BBC survey from 2004: “More than 70 per cent of people would reveal their computer password in exchange for a bar of chocolate. It also showed that 34 per cent of respondents volunteered their password when asked without even needing to be bribed”. Not much has changed since then – the German comedy “heute-show” did the same experiment in 2014 and quite some people were willing to tell their password for some nice words and a bar of chocolate. Of course, chocolate has a very strong persuasive power…
Internet of Things comes with Risks
“People are creatures of habit. They want the next shiny thing but, they seldom pause to weigh the risk involved. This is where my concern comes into play. People will demand the next iPhone, iPad, Nexus 6 or even an Internet connected fridge but manufacturers need to take into account the security of these devices”, says Lewis. But as the pace of technological progress has already surmounted the human ability to cope with it adequately – i.e. big data is another such issue – we are facing what Lewis calls the “security versus time to market problem”.
Because in IoT there are plenty of risks involved: With the advancement of IoT companies will undoubtedly use more connected devices. Security vulnarabilities on these devices can and will be abused for data theft. In the private area home networks are in jeopardy, too. As soon as one device is hacked, other parts of home systems can be accessible for assault. Examples like the manipulated cardiac pacemaker or heating control already highlight the risks.
Building a secure Internet
Security experts like Prof. Dr. Norbert Pohlmann, director of the Institute for Internet Security, thinks that Germany should take responsibility and be a crucial part in the design of a secure and trustworthy global internet for the future. He demands that IT market leaders should provide open interfaces to allow the replaceability of IT security technologies like encryption – according to the individual need for security. Pohlmann identifies the strong SME IT security market and a deep understanding of IT security needs and data protection as important assets in the German market.
Huh? What Update?
According to Lewis a yet unanswered question is: How will these devices be updated? “If there is a significant vulnerability discovered that affects a large swath of the IoT how will these devices be patched? Is there a plan in place to address this sort of eventuality?” Lewis wonders. He worries whether manufactures will abide to caring extensively for security in the rush of delivering new devices to their eager customers.
IDC predicts 212 billion IoT devices until 2020. That means a lot of IP capable products will be used within companies, like heating and lighting systems, robots, tracking systems and also consumer goods like smart watches and data glasses. With them companies have to deal with an heretofore unknown amount of insecure endpoints. „Without protection these devices will be exposed to attacks that aim to destroy the product or to gain access to the network. IoT appliances usually have no spam-, malware or virus protection, nor are they regularly monitored by IT teams or updated on the latest security standard via patches”, states Eric Chiu, president of cloud security specialist Hytrust.
Security in Embedded Systems becomes crucial
“As the rush continues to add Internet connectivity to devices, the potential attack surface will expand at an alarming rate. Due diligence needs to be conducted to address these issues”, predicts Dave Lewis. He pleads for clearly defined, documented and repeatable processes as the basis for IoT security.
One of the most crucial issues will be embedded systems security. As the pressure of illicit access attempts is growing, the need of more refined security measures will be increasing as well. Standards are a major step on the way and there are various approaches. Just recently i.e. Intel announced its “IoT Platform” reference model that encompasses numerous technologies – from edge devices to gateways to the cloud. The modular approach shall ensure that Intel’s hardware and software components, including those from Wind River and McAfee, can be mixed with those of other vendors, states the company in a press release.
What’s your opinion on connected devices? Do you think about security and risks or do you just want “the next shiny thing”?