The sudden proliferation of “smart” devices has opened up endless avenues for hackers to invade our privacy. The internet of things, or IoT, may be simultaneously making our lives easier while leaving us less safe. Of course, such concerns are nothing new. Whenever a major technological innovation comes along, criminals find ways to exploit it. However, now that there are more IoT devices than humans on Earth, engineers and developers need to adopt a new paradigm for cybersecurity in the IoT age.
How are IoT Devices a Security Threat?
The sheer number of IoT devices raises obvious security concerns, yet weak infrastructure often makes such gadgets especially vulnerable. Their low computing power isn’t capable of supporting the level of encryption that has become standard in smartphones and laptops. Consequently, modern convenience can potentially create openings for hackers to infiltrate a network. In 2015, for example, hackers discovered a vulnerability in a commercial smart refrigerator, which allowed them to gain access to users’ Gmail accounts. Once an IoT device gets synced with a smartphone, tablet or computer, all of the data stored on those machines are potentially at risk.
Nonetheless, hacked email and bank accounts are the least of our problems. Security cameras with Wi-Fi connectivity can be hacked to spy on people. Anything with a GPS can be exploited to stalk someone. Hackers can devastate businesses, government agencies and even places like hospitals by shutting down their operations.
High Profile Hacks
The first half of 2017 saw hacks of historic proportions. Two major incidents in the spring and summer saw a ransomware virus called “WannaCry” attack major corporations and government entities across Europe, India and the U.S. Several ministries of the Ukrainian government, including the computer system responsible for monitoring radiation levels at Chernobyl nuclear power plant, were brought to a standstill, and several hospitals in the UK had to turn away patients due to malfunctioning equipment. All-in-all, WannaCry hit at least estimated 74 countries and caused $4 billion in damages.
Ironically, the virus actually originated from the National Security Agency of the United States. Hackers stole it from the NSA and used its exploits to cause a global panic. Although WannaCry did not target IoT devices, the incidents nonetheless demonstrate how quickly such attacks can get out of control. With more entry points than ever for hackers to exploit, we’ll likely start seeing more large scale cyber attacks.
Healthcare facilities are especially vulnerable to such attacks considering the amount of equipment now connected to the web. Upping IT security standards take time and money, which are resources that many hospitals in the world lack. MRI scanners, for example, must to be taken offline periodically to install updates, so it’s easy for busy hospital staff to put updates off as long as possible. To make sure patients are protected, hospital IT staff must start taking security more seriously.
IoT security also affects patients on the individual level. For example, The U.S. Food and Drug Administration had to recently recall nearly half-a-million implantable cardiac pacemakers when security flaws were identified in the devices. Therefore, patients had to visit their doctors for a firmware update. As more people start getting IoT implants, we may all be going in for monthly security checkups.
IoT and the Cloud
The expansion of the cloud and online data storage has been a major driver of new IoT technology. While the ability to keep information in cyberspace rather than local hard drives comes with many upsides, there’s now more personal data than ever online. Therefore, securing access privileges will be a top priority for IT professionals going forward.
Another major problem with IoT security is that smart devices often don’t support automatic updates. In today’s rapidly evolving world, a product manufactured with top-of-the-line security features will be outdated within a year. Makers of IoT devices must start releasing patches to protect users against the latest malware. Fortunately, cloud technology makes such updates easy to implement.
How Individuals and Businesses can Protect Themselves in the IoT Age
Hardware and software developers have a responsibility to market products that are safe for the public. Indeed, just as there are consumer regulations for vehicles, we may soon see consumer regulations for smart devices. In the meantime, individuals and businesses can take steps to preempt potential security threats.
All home and business networks should be set up to require an identifying signature from devices that try to connect. That way, the administrator will receive a notification if an unauthorized device is recognized. Smart firewalls are also recommended for homes or offices with multiple IoT devices. Companies might want to consider creating a policy that requires employees to obtain permission before connecting their personal IoT devices, such as fitness trackers, to the business network.
As a preventative measure, some government officials are encouraging IoT developers to minimize the amount of data they collect from users. Former U.S. Federal Trade Commission chairwoman Edith Ramirez told developers at the 2015 Consumer Electronics Show that customers should always have the choice to opt-out of data collection.
Smart Home Security
A report by Trend Micro identified over 1.8 million cyberattacks through home network routers during a six month period in 2017, and eight percent of those attacks involved smart homes. Most smart home attacks took place in the U.S., the U.K. and China. The report found that hackers are increasingly using connected devices for Bitcoin mining, but they can also steal data and spy on users. Once hackers have access to one connected device, all communications over the network can be compromised.
Home security threats are scary enough, but attacks on businesses and governments have a much wider impact. As smart lighting, smart thermostats and smart blinds are becoming commonplace in offices, it’s well past time to start considering legislation to regulate IoT devices.
Regulating the IoT
Last year, the digital policy chiefs of the European Commission proposed new rules requiring all internet-connected devices to adopt the higher security standards currently found in most smartphones and laptops. In the U.S., both Republican and Democratic senators have sponsored The Internet of Things Cybersecurity Act of 2017, which codifies procedure for connecting IoT devices to federal government servers. Considering that government agencies are investing heavily in smart devices for architecture, agriculture and defense purposes, we need to start setting higher standards fast. Developers who lead the way on the issue of IoT security will have a significant advantage over their competitors.
Will Developers Rise to the Occasion?
Since every American now knows that the NSA is capable of spying on them, attitudes toward internet security will likely change. People currently have a heightened awareness of the issue, and this trend will continue as cyber attacks become more frequent and widespread, but we could reach a point where people simply accept that they have no privacy. Considering how much information people willingly share on social media, we may already be there. Nonetheless, IT professionals cannot get lazy.
As more high-profile hacks are bound to happen, customers will start gravitating toward businesses that can guarantee consumer safety. Cybersecurity could become the next big market differentiator for all industries in the 21st century. Since the IoT shows no signs of slowing, now is the time to take a more proactive approach.