To instill security-by-design into emerging IoT systems, consumers must stay aware of new risks, demand appropriate levels of privacy and safety.
There are certain things we as consumers have come to do intuitively: brushing our teeth in the morning; looking both ways before crossing a city street; buckling up when we get into a car.
In the not too distant future, each one of us will need to give pause, on a daily basis, to duly consider how we purchase and use Internet of Things devices and services.
This is coming. We are just getting started with the process of turning over granular control of every aspect of human society to ubiquitous digital sensors tuned to feed endless streams of data into increasingly “intelligent” machine algorithms.
The drivers of IoT-centric commerce appear to be unstoppable. And yet we are overlooking profound privacy and security ramifications. As individual consumers and citizens, we won’t be able to bury our heads in the sand much longer – the way we did when Internet commerce began to radically alter our traditional safety nets in the early part of this century. This time the stakes are too high. Here’s what to expect:
Evermore plugged in
Count on the wide deployment of IoT systems to continue at an accelerated rate. There are already more IoT devices than human beings on the planet, according to tech industry research firm Gartner. Of the 8.4 billion IoT devices in use as of 2017, half are consumer gadgets, like smart TVs, speakers, watches, baby cams and home thermostats; much of the rest is made up of things like smart electric meters and security cameras in corporate and government use.
Another tech industry consultancy, IDC, forecasts worldwide IoT spending will hit a record $745 billion in 2019, some 15.4% more than the $646 billion spent in 2018. This will be led by the manufacturing, consumer, transportation and utilities sectors.
The more data IoT systems collect and analyze, the smarter they get, and the more autonomous decisions they are capable of making. Enterprises are all too eager to tap into the resultant operating efficiencies.
Consumers, meanwhile, have been unable to resist staying evermore plugged in. We’ve become obsessed with staying continually connected to family, friends, work and our pastimes.
Threat actors certainly have taken notice and have been busy innovating; they fully recognize that hyper-connectivity translates into hyper criminal opportunity. Some of the stunning new IoT-enabled attacks we’ve already seen hint at the new scale and scope of emerging IoT exposures.
Mirai and Reaper are examples of a new generation of IoT botnets comprised of millions of infected home routers and surveillance cams. Mirai continues to morph and multiply two years after an early variant infected the home routers of 1 million Deutsche Telekom customers. Researchers at Avast recently shared intelligence about seven new Mirai variants they’ve tracked in the wild.
The Avast analysts dissected how Mirai code has evolved into a template-like framework that makes it “laughably easy” for budding hackers of modest skill to create new variants. The bar has been lowered for anyone with malicious intent to deploy a Mirai-variant botnet designed to cryptomine, launch denial of service attacks or function as malware distribution proxies.
Putting vast amounts of personal data in motion also naturally creates an entirely new set of complex privacy concerns. IoT data can be mixed and matched to create stunningly prescient profiles – dossiers that can be used for good, but also for predatory purposes. One recent study demonstrated how, by analyzing readings from a smart home, such as energy consumption, carbon monoxide and carbon dioxide levels, and humidity changes, it was possible to triangulate what someone had for dinner.
Meanwhile, IoT device makers and IoT service providers remain consumed with being first to market with fresh functionalities. Secure-by-design has not been a priority.
Many of the IoT sensors hoovering up sensitive personal and business data, and the routers this data flows through, for instance, have weak or non-existent passwords and lack a uniform way to patch inevitable software vulnerabilities that turn up. Nor has anyone accepted accountability for encrypting any of the fresh flows of data, whether in transit or at rest.
Industry standards-setting bodies and government regulators recognize what’s at stake. Last fall, the UK’s Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) published guidelines encouraging IoT device makers to produce connected devices that are secure by design and easy to update.
Likewise, the U.S. National Institute of Standards and Technology (NIST) spent four years hammering out a framework for arriving at an appropriate level of IoT security, issuing NIST Special Publication 800–160, in late 2016.
But companies and agencies need to do much more to get ahead of the problem. More public awareness campaigns modeled after Europol and ENISA’s IoT security conference in The Hague, Netherlands would be a good start.
It’s clear IoT-enabled cyber attacks will only escalate. Invariably, this will start to undermine trust in connected services to a degree we have not yet experienced. That’s when we will start paying attention as individual citizens and small business owners. Only when we demand it, will the Internet of Things achieve a level of trust that makes it stable.
What do you think about IoT security? Join the conversation with Avast on Facebook and Twitter.
Byron Acohido is a guest blogger on the Avast Blog where you can catch up on all the latest security news. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products.