IoT security: Are we finally turning the corner?
By Tony Anscombe
Better IoT security and data protection are long overdue. Will they go from an afterthought to everyone’s priority any time soon? As October draws to a close, so does Cybersecurity Awareness Month, and we can all sit back and congratulate each other on a job well done and forget about the need to think about cybersecurity for another year. If only it was that simple!
The need to proactively consider security everyday has never been greater, especially given that the number of connected devices is predicted to grow at unprecedented levels from approximately 20 billion today to anywhere between 50 billion through to 75 billion by 2025, depending on whose estimate you believe. The broad range is probably a good indication that experts have no true prediction on how quickly people, industry and infrastructure will adopt new technology.
This growth, in part, can be attributed to increased availability of bandwidth and new generations of mobile connectivity. The implementation of 5G networks provides superior reliability with negligible latency and will extend and empower a new wave of opportunity and innovation for connected devices. The impact is likely to be witnessed in every industry: healthcare, agriculture, logistics, transportation, you name it… in fact, it’s difficult to think of an industry that will not benefit from the advanced communication that 5G offers.
Internet and Things
Today though, take a walk down the street; the growth of consumer connected devices is there to see, connected doorbells, home-security systems, connected cars and people jogging past with their smart watches and fitness trackers, through to solar panels with real-time energy efficiency monitors. It is not only consumers automating and adopting technology for convenience though; the cities we live in are also turning to technology to offer services, bike and scooter rental stations, automated visitor kiosks and such like.
Industry and infrastructure are also on board. Industrial washing machines, pumps, carts, traffic monitoring and pollution sensors demonstrate that devices once considered off-grid are now being connected with sensors to gather real-time data to monitor environment, functionality and performance. Connected device innovation is at the heart of virtually every industry.
This overwhelming use of technology in every industry and every corner of life creates a massive opportunity for cybercriminals to take advantage of, as was demonstrated in 2016 by the Mirai botnet that used hundreds of thousands of IoT devices to launch a distributed denial-of-service (DDoS) attack on the DNS servers, bringing large parts of the internet to a standstill. As the number of connected devices grows, then the opportunity for abuse unfortunately grows with it.
If a device is connected, it’s most probably collecting data. In the case of consumers, this could be personal sensitive data about sleeping habits, health, eating and the resulting need to secure the wealth of data being collected by all devices needs to be at the forefront of users’ thoughts when purchasing devices and vendors when developing them.
Getting ahead of the curve
Legislators and governments are taking action to help ensure privacy and security, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are examples requiring vendors to seek permission to collect data and to provide adequate security to protect it.
There’s also regulation starting to appear that requires some minimum security standards for IoT devices. California, for example, requires every device to have a unique password out of the box and for it to only collect the data required to complete its advertised function. The UK government has also unveiled a proposed law to secure IoT devices, including by mandating that manufacturers state clearly for how long security updates will be made available.
As regulators attempt to grapple with the fast-moving environment of connected devices technology, it also falls on us as either the direct or indirect consumer of these services to ensure that our privacy and security are maintained and respected throughout. In the last year we have seen public pressure pause the implementation of technologies like facial recognition when implemented in public places as part of this vast connected devices rollout, with the reason being racial bias and inaccurate results.
It’s our duty as the gatekeepers for the next generation to ensure that future technology, including connected devices, is used in an acceptable way.