For all the talk about how the Internet of Things is the wave of the future, the fact is that the future is here. The IoT is now a part of our everyday lives, and is only continuing to grow and advance.
The simple fact that there are so many connected devices now — the average home has about seven connected devices operating each day, while the most connected families have 15 or more devices — has made the IoT an attractive target for hackers. No longer do we only have to worry about computers, tablets, and mobile phones, but we also need to be concerned about the security of televisions, refrigerators, smart hubs, and more.
Hackers are not only tapping into these devices to steal personal and financial information, but they are also installing malware that effectively turns IoT devices into bots to be used in large-scale attacks on larger networks. We’ve already seen such attacks take place; in October 2016, DYN was affected by an IoT-enabled DDoS attacks, one of the largest attacks so far.
Investigators determined that the attack on DYN, which took down a number of major websites and servers for several hours, stemmed from internet-connected cameras, such as those used in home security. This discovery highlighted an important issue in IoT security: It cannot be left entirely to consumers, and device manufacturers must address security issues from the very start of the design process.
A Multi-Pronged Approach to Security
The typical IoT device is vulnerable to attack for a few key reasons. For starters, many users fail to read setup instructions, and make use of the “plug and play” features on most devices. In other words, they turn on their devices and connect them to the internet right out of the box, without customizing security features. This, of course, assumes that security can be customized, and it’s easy to do. The majority of IoT device users use default usernames and passwords because they don’t know how to change them, or they believe it will be too difficult.
However, issues with IoT security extend beyond the precautions that users need to take. Security begins with the design of the device itself, from the physical access to the device to how often — and how — firmware updates take place. So while consumers bear some of the responsibility for securing their own IoT devices, engineers need to incorporate better security features in the design.
How to Improve Security?
In order to improve security, device designers need to consider a few additional points in their designs, something that happens rarely right now. For starters, device manufacturers must consider the entire supply chain, as well as quality testing and controls, for their devices to ensure that devices do not have vulnerabilities because of malware, outdated software, or other bugs from suppliers. In other words, in addition to determining whether to use a 16 bit vs. 8 bit microcontroller (which would also determine how much memory might be allocatable for device security), manufacturers must also consider where the devices come from and how well they have been tested.
In addition, device manufacturers must also develop more effective methods of preventing device tampering, as well as improving password management, firmware updates, and key management for encrypted data. While it’s unlikely that a hacker is going to attempt to access, say, an individual coffee maker, he or she may attempt to reverse engineer that device as a means of creating a larger attack. Designers have a responsibility to ensure that the device is tamper-proof and that even if hackers can gain access, that they cannot reverse engineer the system or bypass or deactivate security measures.
Industry advocates are pushing IoT manufacturers to develop a standard for device labeling to indicate that it is secure. In addition to the labeling program, they are also calling for a bug “bounty” program and more standardized systems to for reporting vulnerabilities and other information relevant to the security of devices. Even as that is in the works, though, device manufacturers have a responsibility to take security seriously and incorporate every possible precaution to protect not only their customers, but anyone else who could be affected by a major data breach. Failing to do so could eventually result in fines and other sanctions, as well as a major loss of market share