Nearly everyone has some type of Internet of Things device in their home. Whether it’s a connected thermostat or fridge, or just something as simple as a fitness tracker, we are constantly sending and receiving data over the internet, all day, every day.
And very few of us are actually securing that data. We take every precaution we can to protect our computers – and to a lesser extent, our smartphones – but leave most IoT devices, which essentially contain tiny computers, unsecured. This means that, in theory, your personal data, which includes everything from health and financial data to conversations you have in the privacy of your own home, could potentially be accessible to hackers. Imagine a hacker being able to access the feed from the video baby monitor that you use in your child’s bedroom — and watch your kids sleeping and playing. It’s actually possible, and just one example of the risks of unsecured IoT devices.
So why don’t more people make IoT security a priority? The answers vary — but the fact is, there is a problem, and it’s one that IoT manufacturers are going to have to fix.
It’s Not Important and Too Difficult
In many cases, IoT devices are not secure due to one of two reasons (or a combination of both): Users aren’t aware of the risks, and it’s either too difficult or they don’t know how to secure them.
Truth be told, until recently, the idea of an IoT attack was largely theoretical, and any attacks that did take place were limited in scope — if users even knew of them at all. However, in the wake of the IoT-driven attack on internet infrastructure company Dyn, in which hackers exploited a security flaw in connected cameras, the idea of a large-scale attack is becoming more of a reality. Still, many consumers laugh about the idea of a security problem with IoT devices; after all, who would want to attack a refrigerator or a coffee maker?
The problem is, hackers most likely do not care —or even know — that they are attacking a household appliance. To them, it’s simply a connected device that is capable of transmitting data, which means that it’s entirely possible that in addition to storing SPAM, a fridge could be sending spam, DDoS packets, or causing all sorts of other havoc. Unlike a computer, which often shows signs of being infected, such as a slowdown or other problems, a hacked coffee maker is most likely going to continue working just as it did before, meaning that the problem can continue unabated for who knows how long.
Further compounding the issue is that most consumers don’t know how to secure their IoT devices. Few consumers ever change the default password, or install important firmware updates, believing that it’s not important to do so — or they don’t know how. And that’s assuming that the devices can even be effectively secured. One major issue with the rapid proliferation of IoT devices is that some manufacturers aren’t including adequate security in their designs. With manufacturers anxious to get the devices to market, security becomes an afterthought; something that can be addressed “later” — except it’s quickly becoming clear that there is no “later.”
Why the Pressure Is on Manufacturers
Because consumers do not have the knowledge or the skill required to effectively secure their IoT devices themselves, the onus is on manufacturers to build security features into their microchip and microcontroller-enabled devices. Some of the features that could dramatically increase security and protect user privacy include:
- Require users to create their own unique login upon first use.
- Enabling devices to automatically update when necessary.
- Conducting penetration tests to identify and secure vulnerabilities.
- Using the right pairing controls, so that users can ensure that their devices are only connected to the networks that they specify, and not a neighbor’s or hacker’s choice.
- Testing new software for known vulnerabilities and exploits.
- Encrypting any and all data that is being transmitted to and from the device.
While including these security controls in a device doesn’t guarantee imperviousness to an attack, it does close many of the gaps that are created due to consumers’ lack of knowledge or concern about IoT security. It’s possible that in the future, consumers will give IoT security the same level of consideration as other connected devices, but until then, it’s up to manufacturer’s to bear the burden — or pay the price with lost customer confidence.