By Michelle Base-Bursey, Product and Partner Marketing Manager at Wandera
The vast majority of people in the tech industry today have come to know and love the term “Internet of Things” (IoT).
In case you’ve heard it so much that it’s starting to lose its meaning, IoT is defined as “the interconnection of computing devices embedded in everyday objects, enabling them to send and receive data.” In simpler terms, it means connecting any device with an “on” and “off” switch to the internet.
Technology companies adopted the buzzword to sell connected everything—from smart bulbs to smart fridges—to both consumers and businesses. Although the idea of having alarm clocks talk to coffeemakers sounds exciting, buyers need to be aware of the security risks that come along with this mass tech trend.
Gartner stated that by 2020 there will be over 20 billion connected devices globally. That’s almost three times the number of people on the planet.
It is therefore expected that the IoT industry will come to represent trillions of dollars. The inherent danger in this, is that this type of “gold rush” attracts hackers like bees to honey.
It doesn’t help that this industry is far from regulated, and shows no signs of heading in that direction. Both the U.S. and British governments have shied away from implementing any sort of code of conduct or regulations for manufacturers when it comes to connected devices.
In fact, back in March, Maureen Ohlhausen, the Federal Trade Commission’s acting chair, called for the self-regulation of the industry.
“We haven’t taken a position,” she said to The Guardian. “We’re saying not ‘let’s speculate about harm five years out’ but ‘is there something happening that harms consumers right now or is likely to cause harm to consumers.’”
The Evidence of Insecurity
This statement seems to directly contradict the fact that there have been multiple instances of IoT devices causing cyberattacks and other incidents.
The most recognizable attack was back in October 2016. An incredibly large distributed denial-of-service (DDoS) attack resulted from Mirai malware infiltrating hundreds of thousands of connected devices.
These compromised machines threw massive amounts of junk traffic at servers operated by U.S.-based Dyn, which provides DNS services for many well-known websites. The overload of traffic caused its servers to shut down completely. Hundreds of customers’ websites were rendered completely inaccessible due to the attack including Twitter, Netflix, Airbnb and Reddit.
Breaking News: Hackers used web-connected devices like cameras to stage attacks that are disrupting major websites https://t.co/6yfjS29ass
— The New York Times (@nytimes) October 21, 2016
Other, more personalized IoT attacks hit closer to home. Connected baby monitors have taken off as a way for parents to keep a closer eye on their little ones from their mobile phones.
However, even with the best intentions, these devices can be untrustworthy. Just years ago, thousands of live feeds of compromised child webcams were discovered on one Russian website.
IoT devices make it easy for hackers, armed with as little as a search engine query, to locate vulnerable devices and exploit them.
How Is this Happening?
Unfortunately, many IoT manufacturers are not doing enough today to protect their products. They barely build basic security into them, let alone work to stop massive DDoS attacks, like the one mentioned above, from launching through their devices.
Additionally, the rush to get these devices to market means old versions of standard software are being used, and these can quickly be exploited over and over again.
Businesses in the industry should put their heads together to build and promote a facility for independent testing and verification of connected devices. However, corporations can still sell security-lacking connected devices cheaply and profit massively. There is no urgency to make them secure, and this probably won’t change until security is demanded by the consumer.
With money to be made and no government regulation, it’s safe to say change within the industry isn’t imminent.
It’s unrealistic to expect consumers to protect themselves from IoT attacks. It’s extremely inefficient to ask them to update all of their devices consistently after exploits have occurred. It’s also difficult (if not impossible) for them to tell if their IoT devices have been compromised in the first place.
As stated above, relying on manufacturers is also ineffective. There simply isn’t enough short-term revenue potential for them to invest heavily in security today. Instead, they solely focus on brand protection. If the IoT service is seen to play an important role in the home (e.g. Nest controls access to heating and air conditioning) they will quickly learn that any outage impacts their brand name.
Even going forward, it seems quite unrealistic to expect businesses to create an on-device security solution for every IoT device they create—especially as adoption and mass production accelerates.
The only way to guarantee the security of business devices, then, is to embed device-agnostic protection at every level—data, smart thing, network and user access. This provides a much more scalable, powerful and versatile way of protecting IoT devices without relying on any outside parties.
So here’s the first step to successful enterprise IoT implementations. Find an IoT device management solution that helps enterprise IT onboard, monitor, manage and secure all things from a single console. By delivering continuous and timely software updates to all smart things, ensure IoT devices remain secure at work.