Common Internet of Things Security Pitfalls
By Brian Buntz
Sloppy Internet of Things security practices continue to dog device makers. Here are common security mistakes to avoid. Key takeaways from this article include the following: Only a minority of consumers trust the brands they use. And the Internet of Things (IoT) itself has a trust problem in the consumer sector. Privacy concerns and poor user experience have “stymied adoption and created a hesitance among users to trust IoT devices,” wrote William Webb and Matthew Hatton in “The Internet of Things Myth.”
Key takeaways from this article include the following:
- Many IT purchasers continue to distrust IoT devices.
- Internet of Things security concerns still constrain how users approach the technology.
- The situation is unlikely to improve until IoT device makers sharpen their focus on security and information governance.
While the adoption of smart home devices continues to tick upward, privacy and security concerns constrain their use to mainly routine tasks. The most popular smart speaker functionality, for instance, is merely playing music, according to eMarketer research. Meanwhile, IoT device makers continue to face pushback from consumers and regulators over privacy and security. “We’re in a situation where [IoT manufacturers] are fighting these DDoS [distributed denial of service] attacks and all different types of hacking threats that are out there,” said Dilip Sarangan, senior director of research at Frost & Sullivan.
Add to that is the public’s frustration with how manufacturers Internet of Things security and privacy. Last year, an Internet Society survey found that 63% of respondents found connected devices to be “creepy.” Three-quarters of respondents did not trust IoT device markers to respect their preferences in how data is used.
The situation is unlikely to change until IoT manufacturers become savvier in terms of information governance. Here, we examine common pitfalls to avoid when developing an IoT product.
Believing Open Source Software Is Bulletproof
Headlines about consumer IoT devices’ insecurity have remained prevalent in recent years. Most recently, researchers discovered a series of vulnerabilities known as Ripple20 found in hundreds of millions of IoT devices that extend well beyond the consumer sector. “The Ripple20 vulnerabilities affect a vast array of critical IoT devices, including healthcare systems, power grids, smart home devices and more,” said Natali Tshuva, CEO of Sternum.
The discovery of the Ripple20 vulnerability is not surprising, said Terry Dunlap, a former National Security Agency employee who is now the CEO of ReFirm Laws. Many IoT devices are built with open source components. If there is a flaw in any of these components, “it’s going to get spread far and wide,” Dunlap said. While open source software can provide greater oversight than proprietary software, open source security researchers and developers can’t check for every possible security flaw.
Using a One-Size-Fits-All Approach to Security
In 2010, when he was chief executive of Google, Eric Schmidt said that the company’s policy was “to get right up to the creepy line and not cross it.” The seemingly brash assessment highlights that technology balances between helpfulness and privacy-infringing. But consumer attitudes about privacy vary widely.
While standards such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) prescribe similar practices, the regulatory landscape has grown more complex. “In the world of information risk, the general rule is to build to the highest standard, plan for changes, and account for the exceptions,” said Karen Hobert, an analyst at the Analyst Syndicate.
Exaggerating Security or Privacy Features in Marketing
There’s a significant demand from consumers for trustworthy technologies. According to the 2019 Edelman Trust Barometer, roughly one-third of consumers trust most of the brands they buy and use. And when it comes to technology, “people are factoring in security promises when they’re deciding what products and services to buy,” said Ari Scharg, a partner at the Edelson law firm. While many consumers are willing to trade some privacy for convenience, they count on technology companies to keep their sensitive data safe, according to a 2019 survey from RSA.
Given that backdrop, technology companies should avoid overselling their products’ security features, Scharg said. One of the most prominent examples of how overpromising can backfire is the video platform Zoom. The maker of the platform, Zoom Video Communications, initially billed the platform as being end-to-end encrypted. But the company later admitted that that feature wasn’t initially supported.
Blaming Your Customers for Security Problems
While security continues to be an important consideration for consumers, most lack a solid security grounding. Consumers believe “their responsibility to protect their own data is minimal, leading to lax password and information-handling practices,” according to the RSA Data Privacy and Security Survey. The dynamic leads some IoT device makers to respond to breaches by faulting their customers by not using secure passwords or multi-factor authentication. “As a general statement, it’s a bad idea to blame your customers,” said Andrew Howard, CEO of Kudelski Security. Security practitioners should do a better job of simplifying security for end-users and educating them, Howard said.
Conflating Privacy with Fairness
When it comes to information governance, privacy and fairness are both vital concepts. But they are not interchangeable. “Sometimes people conflate those two notions,” said Zulfikar Ramzan, chief technology officer of RSA. Facial recognition is a prominent example where the boundaries between those terms have blurred. Notable technology companies have recently backed away from plans to sell facial recognition technology to law enforcement. But the technology’s privacy-infringing potential isn’t at the heart of its controversy, according to Ramzan. The underlying issue is fairness. “If you think about it, my face is the least private thing about myself,” he said. “The real issue is if somebody takes an image of my face and uses it in ways that are questionable or ways that I might not approve.”
Organizations that fail to consider the fair use of their technology tend to face blowback while the companies most likely to win public support are committed to transparency and consumer empowerment, as McKinsey has observed.
Integrating Security Controls into Products
Experts continually propound secure-by-design principles, but that doesn’t mean the advice is well-heeded. The cost of grappling with security increases the later it happens in the design process. “In my own experience, it is often upwards of 10 times more expensive to build in security late [in the product development cycle],” Howard said. Consumer IoT devices often have thin margins, said Jack Ogawa, senior director, embedded security at Cypress Semiconductor. “If you have a smart thermostat, you might sell a few million units a year,” Ogawa said. “The majority of IoT’ things’ run at hundreds of thousands of units.” That dynamic causes many companies to use a pay-as-they-go approach to manufacturing. That fact, along with time-to-market pressures often result in cutting corners when it comes to security.
Discounting Compliance with Privacy Regulation as a Chore
Compliance with new and emerging privacy standards such as GDPR, the Brazilian General Data Protection Law or California Consumer Privacy Act represents a challenge for many organizations. But complying with such regulations is ultimately “just good business,” Hobert said. Compliance with such laws signals to customers, employees, partners and contractors that a company is trustworthy and responsible. It sends a message that the organization has taken “steps to comply with the law and won’t run into regulatory or legal hot water,” Hobert said. Compliance also communicates that a company “actually understands what data privacy is” and “will be responsive to personal data requests,” she concluded.