Innovative IoT Ups and Downs (Still) Hinge Largely On Security

Spread the love


 On the Precipice of Change

As time goes on, it becomes increasingly apparent that the Internet of Things (IoT) is an inevitability to be dealt with, either welcomed or shunned, loved or hated, but definitely not ignored. InformationWeek themselves reported that “in a few years, most of the things we have and do today will be automated, measured, and controlled by the IoT ecosystem, and there is nothing we can do to stop it… we’ll have tens of billions of connected devices at the beginning of the next decade.”

The idea of an IoT future is both exciting and terrifying. With the predicted propensity to revolutionize everything it touches, promises of faster transport and travel, new drone delivery systems, superior healthcare systems, even a better retail shopping experience seem just out of reach. Unfortunately, for every wonderful idea made plausible by the IoT, there are still core issues that need to be worked out. With consequences ranging from annoying to potentially deadly, it’s hard to weigh the potential benefits made plausible and possible by innovation in the IoT against the dangers that the same systems will inherently expose us to. Nevertheless, we must look ahead and realize that even if the IoT is-coming-no-matter-what, there is no similar promise that follows in terms of security and disaster mitigation–at least not yet.

What Exactly is at Risk?

Firstly, philosophical questions abound. Intangible ideas and conventional modes of living are on the frontline, and privacy is at the forefront… but that perhaps hasn’t gotten as much push back from the public because of we’ve been desensitized to it. With revelations by Edward Snowden concerning the federal PRISM program you’d think that public outcry for tighter privacy measures would’ve forced the private sector to adapt–unfortunately this simply isn’t true. In South Carolina, for example, it was revealed that police had been using a “Tower Dump” technique to sift through cell phone data without warrants, a measure that has recently come under scrutiny in Canada as well. Instead of public outcry, many have resigned themselves to a complacent understanding that those in authority will do what they will do when it comes to them encroaching on true privacy inch by inch. Perhaps this is the trade-off for great technology and a symptom of a society used to over-sharing personal information; but will this lethargy last in a world where third parties and criminals start making their threats known as well?


In an 18 minute flight over Austin, a proof-of-concept IoT sniffer drone found nearly 1,600 internet-connected devices potentially open for hacking, from door locks to alarm systems to lightbulbs.

Some of the first reports of actual IoT devices hacked included baby monitors, hitting parents where they fear and feel most: their children’s rooms. Their babies’ cribs. It doesn’t stop there. At the DEFCON 24 security conference last August, security researchers demonstrated their ability to hack smart house thermostats with ransomware and force it stay at 99 degrees unless the owner coughed up $300. At the same conference, hackers showed how easy it was to crack smart home locks with less than $200 of hardware. This is terrifying in conjunction with news of a new proof-of-concept drone that can sniff out nearby IoT devices. In an 18 minute flight over Austin, the drone found nearly 1,600 internet-connected devices potentially open for hacking, from door locks to alarm systems to lightbulbs. These potential threats to a person’s connected home highlight the severe need for consumers to demand better security measures from those making their devices and propagating a wildly insecure IoT, to say nothing of the damages that can be done to businesses as well.

It’s possible that the world of business isn’t as concerned about the risks that come with the IoT because the score is pretty much the same as it’s always been: securing infection vectors that could spread malware across and entire organization, making sure that finances and the institutions that handle them are protected, and securing assets deemed too important to lose, such as databases and devices infected by ransomware, which have cost $1 billion this year already.

Most terrifying perhaps is the criminal’s ability to exploit more vectors due to the rise of unsecured IoT devices and gain access to hospitals and medical devices. According to Healthcare IT News, more than half and up to 75 percent of hospitals in the U.S. had been hit by ransomware in the twelve months preceding April 2016. This, in conjunction with reports that pacemakers and insulin pumps can be exploited in the same way, demonstrates to what the lengths the IoT could be potentially lethal.

Security Threats Will Always Exist… Because They Always Have

2000px-singapore_road_signs_-_restrictive_sign_-_stop_-_security_check-svgSo… here’s the thing. The internet-of-not-things, aka the internet we’ve always had but only connected computers, which has been around in its earliest iteration since 1969, has always had vulnerabilities, and still does. JC Torres, writing for Slashgear, explains succinctly:

The moment computers stopped being hulking cabinets that required physical presence and access in order to use, the moment it was possible for computers to communicate with one another even if far apart, they have become vulnerable. Hacking, whether the good or the bad kind, has never really gone away… It is, perhaps, really the nature of computers. There is no hardware nor software so sophisticated that they cannot eventually be compromised… The fact of the matter is that the Internet of Things will never be completely safe from these things either, just as no computer or smartphone is totally safe.

Torres makes a great point. It’s become part of the cultural norm to assume that your safety is at risk on the internet, and while great tools exist to protect us and steer us away from danger, nothing is 100% foolproof, nor has it ever been. For as long as the internet has been around, so have been hackers and cybercriminals, and by no means should we think this will ever change. It also has to be remembered that many of these potential negative aspects of the IoT–at least the most invasive ones–still haven’t been too widely exploited. Hospitals don’t make this list because the IoT isn’t creating the primary vectors currently being exploited. This may be because smart cars and smart homes haven’t seen widespread adoption yet, but the point is that we have the advantage to educate ourselves, demand change, and the holes in the IoT before it becomes a massive problem.

The onus of responsibility is on manufacturers and consumers to begin seriously creating change in and demanding change of the IoT’s current path. Chris Hodson, EMEA region CISO at cloud security firm Zscaler, explained to SC Magazine that many IoT devices lack security that’s up-to-par because “manufacturers are looking for hardware components which are affordable and increase profit margins… cheap, lightweight components in IoT devices often lack the capability to provide fundamental security services, such as encryption, as its hardware simply cannot support it.”

While it’s become clear that companies producing IoT devices need to adopt security by design as a core philosophy, unfortunately an uneducated consumer base isn’t exactly demanding it–and one might go so far as to say that they are permitting the IoT landscape to be cultivated so dangerous and haphazardly.

“Until consumers demand that security is embedded into the hardware development life cycle, manufacturers would feel no pressure to change their methods.” says Hodson in the same SC article.

Unfortunately, the argument is of the chicken or the egg. Is it up to the consumer to take an active interest in securing their devices, even if not educated on IoT threats (even ones whose effects are more tangential, like IoT botnet slavery)? Or is it up to the consumer to own the responsibility of developing and educating consumers on secure hardware and protocol?

The Future Will Continue to Have Ups and Downs

Only time will tell exactly how the IoT’s tale will be spun. Some fear that it will only be too late, in the aftermath of a catastrophic event caused by connected devices that the public will begin to take IoT security more seriously. Others see the brighter side. PBS reports that colleges are pushing graduates to work in cybersecurity, as the field retains more than 200,000 unfilled jobs with postings up 74 percent over the past five years. This, in conjunction with rise of learn-to-code sites like Codecademy, and increased popularity of programming MOOCs and Bootcamps like Coursera’s and Devry’s, reinforces the new reality that coding is becoming society’s second literacy. Perhaps a more educated populace will begin to institute change themselves, or at least become educated enough to know that they must make security demands of manufacturers.

The other bright side is that there’s just too much money wrapped up in the IoT not to take threats seriously. By Cisco’s 2014 estimate, the Internet of Things is worth a potential $19 trillion dollars, with companies like Apple (APPL) and Alphabet (GOOG), who are already invested heavily in the IoT via wearables and smart home devices, poised to make big dents in the market. As both companies go to great lengths to keep their devices secure already, it’s a safe bet that they understand the need for extensive security before there’s any type of mass market adoption.

The fact remains: whatever your stance on the IoT, it’s coming, and it’s coming fast. The consumer and the manufacturer both have the chance–no, the responsibility–to pre-emptively build a secure Internet of Things, and to cultivate a connected world where technology may be enjoyed without the worrying about its negative aspects. The alternative is a world where vulnerabilities leave consumers one line of code away from total invasion and manipulation by cybercriminals. You decide which you want to live in.