Statista, one of the leading statistics companies on the Internet, shows the number of internet connected devices (Internet of Things; IoT) growth worldwide from 2012 to 2020. In 2012, the number of connected devices worldwide reached 8.7 billion. The number of connected devices worldwide is projected to be 50.1 billion by 2020.
Connected, coordinated appliances will make our lives easier, wearable devices will keep us healthier, home automation devices will keep our homes clean and comfortable, workplace devices will track our productivity, and autonomous vehicles will take us where we need to go.
But as we have seen throughout history, innovation often brings unintended consequences. For example, the invention of the automobile is one of the most significant inventions in modern times, yet the downside discovered later was the pollution damage to the environment due to their emissions.
With respect to the internet of things (IoT) and its related advancements, there are already concerns about our over-reliance on technology, workers being replaced by automation, and maintaining our privacy as we become more connected.
But the most significant challenge presented by IoT technology is already upon us: ensuring these devices are secure.
In October 2016, a deliberate spike in Internet traffic by baby monitors and surveillance cameras initiated by a malware strain named “Mirai” brought down a significant portion of the Internet in North America by overloading Dyn, an Internet performance management company, along with Amazon Web Services. The story made headlines in large media outlets; not so much for the significant outage but rather because people’s lives were impacted as PayPal, Twitter, and other Internet-based services were unavailable.
Mirai did not have to rely on complex password hacking to create its botnet of infected devices. Instead, the malware used the default usernames and passwords that were shipped with items such as DVR’s and cameras. And, to make things worse, some of these passwords are hard-coded and cannot be changed.
The Mirai attack exposed the vulnerability of Internet-connected devices to the masses. The manufacturers that had products that were leveraged in this bot attack are focused, rightfully so, on building a product for consumers to use and to generate revenue for their company and their shareholders. In fact, one company wasn’t even the manufacturer of a full product, but rather a manufacturer of components used within the products, such as the cameras.
What Does the Future Hold for IoT Device Manufacturers?
In the future, will manufacturers hire cybersecurity teams? It will be interesting to see if manufacturers of Internet-connected devices will have executive level support to spend the proper amount on security expertise. Damage to the brand's reputation will likely force large manufacturers to invest in cybersecurity expertise and proper use of security and privacy principles and procedures. Affected consumers will show their displeasure with a potentially insecure, useless or recalled device by purchasing a competitor’s device.
It will also be interesting to see if government involvement will be necessary. It is one thing to bring down a payment system or a social media outlet, but what are the ramifications in the not-so-distant future when we are driven by connected cars or we are connected to smart medical devices? The risks are far more consequential. In the past, government standards have mostly been adhered to in highly-regulated environments such as financial institutions or government agencies. Standards such as the IoT Trust Framework will eventually be followed, but manufacturers and developers will follow them voluntarily due to increasing pressure from consumers that the Internet-connected devices they purchase be secure. That will be the most important driver in IoT security—public pressure and consumer demand.
Although device security is not necessarily a core competency of manufacturers and innovative product companies, eventually security will rise to the surface.
IoT security is certainly a challenging landscape. It was initially difficult enough to secure a select few smartphone operating systems like IOS and Android, but IoT is a new world with an unlimited number of non-standard device operating systems.
Solutions to IoT Security Threats
There are a number of fundamental approaches that may carry over from current cybersecurity defenses to IoT.
Techniques to identify that a device is Internet-connected, what kind of device is it, and if it has been “seen before” will help cybersecurity professionals intervene and stop devices or IP’s that are causing harmful traffic. While device recognition exists today, it may be that in an IoT world, devices will be identified by traffic patterns and machine learning. It is critical to identify the source of the threat and differentiate it from other (authentic) traffic in order to stop affected machines by blacklisting IP’s or devices themselves and thereby contain the damage.
Another option is the deployment of light applications—much like in the mobile world—on the device itself. If there is an ability to create a standard OS which interacts with the endpoint, then there would be the capability to potentially more uniquely identify that device based on it attributes. To use a parallel example, the security for mobile applications is much more powerful because you can identify a returning device and make certain risk assessments about that device. This is beneficial in the case of a DDoS attack, because you know which devices are secure, and which ones to shut down. However, for this to become pervasive, the industry will have to invest in a light operating system with the processing power needed to support the intelligence required. There have been conversations about light applications in IoT, but no firm traction thus far.
Eventually there will be better methods to secure IoT, but the risks are here today, and will only grow in parallel with IoT growth.
About Michael Lynch
Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.