The Internet of Things (IoT) is set to revolutionize our world and is already having a significant impact in many areas of our day-to-day lives. But what exactly do we mean by the IoT, and why is it so important that it is secure?
In short, the IoT can broadly be described as any thing that is connected to the internet, but is increasingly being used to define technologies which connect to each other through sensors and networks and make things happen.
The possibilities for the use of IoT-connected devices and technologies are almost endless, and businesses are continually looking for new ways to create an ever more connected world. A recent report suggested that 14.2 billion connected things will be in use in 2019 and the total will reach 25 billion by 2021.
Examples range from the fairly mundane, such as sensors which allow lights to be switched on and off, to smart watches and driverless cars, health monitors and the commonly cited “smart fridge”, which might one day allow for delivery by drone of grocery supplies without the consumer even having to write a shopping list.
All of these developments provide the potential for boosting efficiency, improving user experiences, and even saving lives. However, there are risks associated with the proliferation of devices that capture our data and are increasingly interconnected.
Three ways in which the IoT poses risks
Firstly, the proliferation of internet-connected devices means that users’ personal data can be combined together in new and powerful ways.
While this can be useful in terms of enabling improved customer experiences, it also means that the companies who have access to this data (and those who might want to steal it) can learn a huge amount about individuals’ behaviour through potentially innocuous devices.
For example, the routes your autonomous car travels, the contents of your fridge, and the data from your smart watch, can all combine together to reveal a powerful picture of an individual’s life.
While this can be used for marketing purposes, or indeed to suggest improvements to an individual’s daily life, it can also be a route in for those who wish to manipulate someone’s behaviour.
But IoT devices don’t only enable potential hackers access to individuals’ data and habits. They also provide a route in to undermine the very architecture of the internet.
In 2016, a botnet was created which took advantage of a huge number of IoT devices by effectively scanning the internet to test for those devices which had default usernames and passwords. The devices then became infected with malware called Mirai, which became part of the largest DDoS (distributed denial of service) attack ever, leading to vast portions of the internet becoming inaccessible, including Twitter, CNN and Netflix.
Thirdly, the risks posed by IoT devices rise even higher when we start to envisage “smart cities”, where the digital ecosystems of whole cities are interconnected. Here, the risks move from being privacy-related to potentially posing physical threats. For example, we have already heard about autonomous cars being affected – maliciously or not – and the risks will only increase as the online and physical world become increasingly intertwined.
Building in global standards by design
In order to fully harness the potential of the future of these devices, governments and manufacturers have started to put their heads together to come up with a new technical architecture to enable the security of connected devices without hampering the consumer experience or adding too much additional cost and process.
Various initiatives are underway to help secure consumer devices and to incentivize the producers of these devices to ensure security is an integral part of their design. A set of principles for how to secure consumer IoT devices were recently endorsed by the European Technical Standards Institute (ETSI), which builds from a UK code of practice for IoT security published last year.
The ETSI specifications set out that the three main criteria to look out for in buying internet-connected devices, which should help protect against a large number of attacks, are as follows:
1. Ensuring that devices are not pre-set with passwords that expect to be changed by the consumer, but that are unique. This would have helped prevent the Mirai attack and removes the onus on the consumer to change passwords.
2. That companies which produce internet-connected devices and services should provide a point of contact so that issues can be reported. This allows companies to be able to respond and fix any issues.
3. That software updates or “patches” to connected devices should be easy to implement and timely. This ensures that software glitches, which could provide a weakness for an attack, can be corrected if needed.
California has also become the first state in the US to pass a specific IoT cybersecurity law, which specifies certain measures that must be taken by manufacturers to secure devices.
There is still a long way to go in ensuring that the IoT can be secured to protect the future benefits of the 4IR, but the collaboration shown by this recent work is a positive sign.
The World Economic Forum is working on a number of initiatives to capitalize on the benefits of IoT and ensure they can be harnessed safely and securely. The Forum’s Centre for Cybersecurity will be working with public and private sector partners in order to build on this work and help ensure that the full benefits of our connected future can be secured.