Many challenges affect IoT security, and the top issue is that no connected device can be secured 100 percent. What’s worse is that not much has actually improved since Former US Vice President Dick Cheney’s wireless pacemaker was disabled to prevent attempts on his life. That was nine years ago!
Recent DDoS attacks prove that 500,000 devices can be hacked in less than five minutes and turned into botnets, because they haven’t been, or can’t be, updated. Some researchers expect connected devices to reach 50 billion by 2020 while others forecast 20 billion by that date. One thing is clear; the number is growing to four devices per user, at least, and we haven’t seen the worst yet. What will happen when billions of connected devices, with old software, are turned into weapons to attack organizations, cities and even governments?
IoT security is right where we left it nine years ago, although the number of connected devices keeps on soaring. This issue is vital but manufacturers keep ignoring it, while users are as naïve as ever. The only winners in this are hackers, who take advantage of the many opportunities created by the lack of infrastructure to protect IoT and mobile devices.
We’re going through tremendous online transformation, yet the threats we’re dealing with are “beyond the devices used, as hackers will not only target your devices but all the data stored in the cloud,” Emmanuel Schalit, CEO of Dashlane, a password managing company, said in a panel talk at WebSummit last week about how to protect connected devices.
We already know users are a liability, but they also carry great responsibility. Even high-profile officials come up with the weakest passwords and reuse them for multiple accounts. Remember the Podesta email leak fiasco?
Most likely, password security is not the answer anymore. In fact, we need to get rid of them and find a way to secure IoT without involving humans because “consumers have a short memory on breaches,” said Rami Essaid, co-founder of Distil Networks. Instead of demanding better security, users expect dozens of fancy features which only increase security risks.
“Human authentication is not scalable because you can’t type passwords or download firmware updates every day for each device in your smart home,” explained Essaid.
IoT devices are entry points for hackers, but smart homes are not the only areas posing risks to our privacy and safety. Power grids, medical devices, water mains and smart meters collect critical data in real time and, if abused, the consequences could be crucial for entire city infrastructures. These devices need unique in-built security that stands the test of time, even 10 – 15 years from now, so vulnerabilities can’t turn them into backdoors to the cloud. Upgradeability may solve a problem or two, if properly focused on the future, to ensure security holes are detected as soon as possible instead of a year later, as is the case now.
Although governments have made some effort to come up with measures, chances of having unitary regulations for IoT are small, mostly because governments are at least five years behind when it comes to understanding technology and the industry, added Essaid. As we can’t rely completely on governments and manufacturers to fix this problem in the near future, educating users about the importance of online security is the most important step forward.