Are we ready for hackable everything in the IoT?
The short answer: Probably not, but that’s not stopping us.
More connections in the IoT means far greater potential for breaches.
When a Tesla was involved in a fatal accident, debate arose about what it meant for the future of self-driving cars. However, at the same time, the Internet of Things, or IoT, is rising up around us – or at least the more tech-savvy among us – and it theoretically poses comparable threats, but we haven’t heard as much debate about viability.
To wit: Recent reports have highlighted the hackability of smart locks, as well as thermostats and traffic lights. And reports say consumers are indeed worried. But, like true love perhaps, it seems even if flaws are part of the package, consumers are willing to roll with the punches.
According to Manolo Almagro, senior managing director of innovation and retail technology at retail marketing agency TPN, no one – and no device – is safe from hackers – not even, he noted, the NSA.
And that means the only 100 percent surefire method to ensure security and privacy within the IoT is to not connect to the Internet.
In fact, according to Jake Bennett, CTO of digital agency Pop, consumers are all too willing to trade convenience and functionality for security.
“Banks, hospitals, insurers, retailers and even governments are compromised by hackers on an almost daily basis, yet people still flock to the Internet in droves. We’ve become numb to digital security threats,” he said. “Most people don’t even bother to make their [logins] secure by adding a few extra characters to their password. In the digital age, convenience trumps security every time.”
But the stakes are much higher in the IoT.
“It is the very exciting prospect of everything being connected that is also the inherent threat and canary in the coal mine as hackers could maliciously disrupt people's daily lives in a much more personal way than before – in their cars, their homes and on the devices they personally carry and wear,” said Drew Ianni, chairman of the IOT Influencers Summit. “In the past, we worried – and still worry – about equally damaging hacks like identity theft and credit card fraud – but, as serious as they are, they are abstract – numbers on a computer or statement – and there is often a monetary remedy or restitution from your bank or financial institution. But the reality of having your car steer out of your control or your baby monitor going haywire or, at a more dire and commercial level, having a power grid, traffic lighting system or air traffic control system go haywire, can have very tragic and personal consequences [like a plane falling out of the sky or a car swerving into oncoming traffic].”
And while there will always be hackers, hacks and their ramifications will become increasingly personalized as the potential for tragic human consequences grows by orders of magnitude along with the potential entry points in the IoT, Ianni added.
And therein lies the problem.
‘The single biggest threat to the development and market potential of the [IoT]’
“One universal truth surrounding IoT is that security and privacy are, and will be, issues of paramount importance,” Ianni said. “Simply put, security is the single biggest threat to the development and market potential of the Internet of Things, period.”
Shiva Vannavada, CTO of digital marketing agency iCrossing, agreed security is a critical obstacle.
“I’d go so far as to say that security on connected devices is not remotely close to being adequate yet,” he added.
Indeed, Almagro pointed to a study from professional services company Accenture and said security concerns among consumers are why IoT adoption has been measured to date.
But, to be fair, Almagro said the cost of connected devices has also slowed adoption.
Further, Almagro said that in many cases, there’s a practical explanation as to why device manufacturers have perhaps not adequately addressed security to date: And that, too, is cost. In other words, he said, “[Manufacturers] are not overly concerned with something that might make their products more expensive.”
At the same time, he also noted many IoT devices lack patching mechanisms that allow for security holes to be closed quickly, which means the risk for users is even higher.
For his part, Bahman Zakeri, CEO and chief strategist at digital agency Xivic, called for an adjustment to the entire security ecosystem as the IoT market explodes.
“Researchers Craig Smith and Jason Haddix have started the OWASP Internet of Things Project to help manufacturers, developers and consumers better understand the security issues associated with the Internet of Things and to enable users in any context to make better security decisions when building, deploying or assessing IoT technologies,” Zakeri said.
Valerie Lisyansky, partner at digital agency Swarm, too, pointed to OWASP as an example of the industry rising to the occasion as security threats increase in complexity and scale.
But, per Mishel Alon, senior director of product management at advertising company Jun Group, additional standards would allow connected devices to communicate more effectively.
“There needs to be a consensus between the major IoT players on how security and privacy are defined,” Alon said. “Moreover, IoT products should limit the data they collect, fully disclose what information is collected [and] they should also allow users to opt-out of data collection.”
For his part, Vannavada called this the wild, wild West and said formalized standard security measures have not been created given the competition from new and established players alike. Furthermore, these companies “are moving as fast as they can to get into market and stake their claim to being the MVP of the space,” which he called “the classic ‘done is better than perfect’-mentality.”
And while the IoT is a complex space that touches on many sectors, which complicates the implementation of standards, some industries have issued their own guidance, such as the FDA’s draft guide for cybersecurity in medical devices, Zakeri noted.
But it’s not just device manufacturers to blame – or the industry as a whole. In fact, Almagro said one of the most vulnerable points in connected homes is the consumer’s WiFi.
“This is the most critical point of entry for any hacker to access any connected devices in the home. If WiFi isn’t adequately secured by the homeowner, access to the IoT devices becomes relatively easy,” Almagro said. “In addition to the WiFi, administration of the IoT devices relies on the consumer. App updates are not always automatic and require ongoing diligence to make sure each IoT device is manually updated with the latest security patches.”
Further, Vannavada noted an opportunity for a brand to emerge as a hero leading the effort in consumer education to help users of IoT technology understand how to properly secure their information.
A crack team of detectives?
Because of all the devices and systems being connected, Ianni said the industry may ultimately “have to play whac-a-mole when it comes to IoT hacking and security unless the industry is fully committed to maximizing their investments in, and commitment to, product design and security.”
But, regardless, many insiders are confident someone will figure out something eventually as a lot of smart people are on the case.
Jack Eisenberg, software engineer and security analyst at creative studio Nelson Cash, said he expects we’ll “witness several serious hacks of objects in the years to come” along with “improved software, firmware and encryption/sanitization techniques that take a security-first approach, along with organizations like OWASP, and the hacker community in general, developing a deeper knowledge base of common threats and concerns.”
Further, he noted companies like Amazon, Microsoft and Verizon are investing in research and development of hardware, software and infrastructure.
“With companies like these backing the IoT expansion…we are likely to see many security issues get solved, as well as connectivity and power,” Eisenberg added.
Vannavada, too, pointed to players like Intel and Cisco, who he said are paying close attention to vulnerabilities and he added, “I’m confident there will be progress made soon on these security challenges.”
Lisyansky, too, noted the industry has been handling hacks for a long time.
“Every new connected technology requires security systems and companies spend money on security systems to ensure that data is safe,” she said. “While cyber attacks will always be a threat as long as technology continues to advance, the silver lining is that we continue to become better at handling these threats.”
However, Zakeri said product developers, too, need to plan for proper time and budget to address security measures with connected products.
In the meantime, Eisenberg said engaging the security community seems like a step in the right direction as well.
“Tesla has openly and positively engaged hackers who break into their cars, for example, and we imagine other companies are hiring talent to break into their connected objects,” he added.