I’m a huge fan of C.S.I Cyber. Not only for the crimes, but because the fiction has always a hint of truth in it. Episode 1: Baby is kidnapped. Mother screams. No wait. There isn’t just one kidnapping, there are four. How? A whole network of IoT baby monitors have been hacked by organised crime and babies are kidnapped for auction.
Pretty far fetched, right? Think again. In September 2015 Rapid7 researchers found serious security issues in 9 IoT baby monitors, which made them vulnerable for hackers: they could change camera settings, view live feeds, and provide access to other users to view and control the monitor – all remotely.
And don’t even get me started on Jeep.
IoT security spend increases, but not enough
According to a survey by PricewaterhouseCoopers, almost 70% of connected IoT devices lack fundamental security. IoT security spend will reach 348 million dollars this year and it’s estimated to reach 547 million by 2018, says Gartner.
Yet what is this compared to 6 billion connected things in use this year – a number estimated to reach 11 billion by 2018?
“We need more security!” I hear you cry. But it’s more complicated than that.
Lack of expertise
Unfortunately, IoT is in fashion. Many companies connect their product just for the sake of “being connected” and IoT devices are often produced by consumer goods manufacturers, not hardware or software businesses with the cyber security experience.
Designing secure Internet of Things requires skill and ability to secure the entire IoT system and infrastructure. It’s not enough to secure just the IoT product, but you need to take the software plus where and how the data is stored in consideration.
IoT devices are always connected and always on. And hackers never sleep.
Lack of updates
To keep up with the security standards, connected devices need to be regularly updated yet only 49% of the companies offer remote updates for their IOT. For those who don’t, it’s either because it’s more convenient for the company to get users to install them manually, the company producing especially a low-end device doesn’t see any economical benefit for doing it, it’s seen too risky, or the company simply doesn’t have the capability to update devices remotely.
Getting consumers to even accept a software update is tough. Imagine how many will pro-actively find and install it.
Lack of perceived risk
Some users don’t know the risks, some don’t care. For many, a connected fridge is still a fridge, which means that IoT objects are often left unattended and the password can remain the simple 1234. It’s difficult to imagine someone introducing a virus or malware to your computer via smart thermostat, for example, but it can happen.
But worst of all, not everyone knows that their object is even connected. According to Business Insider, 44% of the consumers haven’t even heard of connected car and 42% have heard about them, but are not familiar what they actually do.
Always a question of priorities
The IoT security concerns have created new alliances such as Internet of Things Security Foundation and it has become increasingly important even on EU and US government level.
Despite IoT devices being typically small with a low battery and computing power, it’s still possible to make them secure. By providing regular updates, disabling non-essential functions by default, restricting network access and not accepting unverified content, we’re already on a right path.
However, getting manufacturers to do this globally is not easy. Some IoT are sophisticated and expensive while others are disposable and cheap. When you are producing IoT with inexpensive chips and material, and have to choose between device security and battery deficiency – which one do you think wins? The one that sells more and costs less.
IoT security is hot
So, maybe it’s our marketers’ job to make IoT security to sell like hot cakes. Indeed, high security in Internet of Things would be a great competitive advantage if only users knew – and cared – how risky they can be. Educating such a vast amount of people is complicated and costly, and that’s why most of us prefer concentrating on benefits users understand and care about. We need to hit our targets as well, you know?
Perhaps watching an episode of C.S.I. Cyber should be made obligatory before IoT purchase – just for the bigger benefit of all of us.