There is a problem with the Internet of Things: It’s incredibly insecure.
This is not a problem that is inherent to the idea of smart devices. Wearables, smart houses, and fitness tracking apps can be made secure — or at least more secure than they currently are.
The problem, instead, is one that largely has been created by the companies that make IoT devices. Many of these devices are manufactured by relatively small, relatively new companies with little expertise when it comes to cybersecurity. Even large companies, however, and even those that produce thousands of hackable smart TVs a year, cannot be forgiven so easily.
In truth, when it comes to the Internet of Things, many companies have prioritized connectivity and “innovation” (read popular but insecure features) over cybersecurity.
These approaches have led to a variety of security vulnerabilities in IoT devices.
Insufficient Testing and Updating
Perhaps the biggest problem when it comes to the cybersecurity of IoT devices is that many companies simply don’t support them after release. In fact, many IoT devices don’t even have the capability of being updated, even against the most common types of cyberattack.
This means that even a device that was secure when it was released quickly can become highly vulnerable. Manufacturers often are more focused on releasing their new device than on spending time to patch “historic” security flaws. This attitude can leave these devices in a permanently insecure state.
Failing to update these devices is a huge problem — and not just for consumers who have their data stolen. It also means that a company’s devices can fall victim to a single, large cyberattack that could ruin their reputation, and erase their profitability.
A second major — and avoidable — problem with IoT devices is that they ship with default passwords, and users are not reminded to change them in order to secure their home IoT networks. This is despite industry and government-level advice against using default passwords.
This vulnerability led to the highest-profile IoT hack to date, the Mirai botnet, which compromised millions of IoT devices by the simple method of using their default passwords.
Though some UK-based Web hosts detected the attack and blocked it from reaching consumer devices, dozens of manufacturers had their devices hacked in this way. Nevertheless, in the absence of legal requirements against using default passwords, they continue to do so.
New Types of Ransomware
IoT devices are particularly susceptible to hacking for a more complex reason: They are integrated into the home and corporate networks to a degree unprecedented in traditional systems.
IoT devices typically have a very rapid development process, and during this rush there appears to be no time to think through what such devices actually need access to. As a result, a typical IoT device, or app, will ask for far more privileges than it needs to complete its basic functions.
That’s a huge problem, because it can mean that spyware in the IoT can access far more information than it should be able to.
Let’s take an example. IP cameras typically are sold as IoT devices for smart homes, or for use as webcams. The manufacturer of the device typically will ship it without hardened or updated firmware, and with default passwords (see above). The problem is that if hackers know this default password (and they do, trust me), it is a simple matter to access the feed from the camera.
It gets worse. Using the camera, a hacker can capture sensitive information such as credit card details, passwords, or footage intended for “personal use.” This then can be used to execute a larger hack or to blackmail the victim.
AI and Automation
A more exotic issue with IoT security stems from the fact that IoT networks already are so large and complicated that they are administered via artificial intelligence algorithms rather than by people. For many companies, using AI is the only way to handle the vast amounts of data produced by user devices, and their profitability relies on this functionality.
The issue here is that AIs can make decisions that affect the lives and security of millions of users. Without the necessary staff or expertise to analyze the implications of these decisions, IoT companies can — albeit accidentally — compromise their IoT networks.
Of all the issues on this list, this arguably is the most worrying. That’s because AI-driven IoT systems now handle many critical functions in society, from the time tracking software used to pay employees to the machines that keep patients alive in your local hospital.
Not all IoT device manufacturers are equally guilty, of course. As we’ve previously reported, Arduino is seeking to improve IoT security, and thereby become a leader in the field. In addition, there is an increased consciousness among consumers about the dangers of using insecure IoT devices: Many are turning to VPNs or forms of network management software previously restricted to IT professionals.
The actions of individual companies or individual consumers are not going to solve this problem, however. Instead, there needs to be a paradigm shift in the industry. It’s telling that no (respectable) company would sell, say, time tracking software without committing to keeping it updated. There is no reason this idea is not equally absurd when it comes to physical devices.
Indeed, many of the problems mentioned here — the use of default passwords, or a careless approach to app permissions — were overcome long ago in relation to traditional software. What is required, then, might only be a common-sense approach to locking down IoT devices.