The IoT is growing at an unprecedented rate and market forecasts are ambitious. While IHS has suggested that there will be 30.7 billion connected devices by 2020 and 65.4 billion by 2025, Intel has gone even further with its prediction that there will be 200 billion connected devices by 2020. New products are hitting the market every day but we’ve largely glossed over the fact that the IoT is not a new phenomenon.
Although the term was only coined in 1999, ‘old’ internet of things devices existed before then – from printers connected to fixed networks, to old smart TVs and Bluetooth speakers. While these devices still work perfectly well, what’s concerning is that we do not know how secure they are and more often than not, neither do their manufacturers. These devices all had code built into them to make them useful but future-proofing them was seen as a cost and time sink – not a revenue generator. The necessary updates may be found somewhere on the website for consumers technically savvy enough to find them, but most devices were sold with un-patched embedded operating systems.
As cyber-attacks continue to hit the headlines and grow more sophisticated, it is simply financially unsustainable to have so many easily compromised devices in the market.
The reasons behind the risks
The IoT has an encouragingly low barrier to entry but only a very small number make it through a single 9-18 month product cycle before failing. Even more products fail once they have been launched to market, which often puts an end to any future security updates leaving a huge number of IoT devices unsupported. Essentially, short product lifespans offer little incentive to provide costly long-term support leaving devices ripe for hijacking.
[easy-tweet tweet=”A contributing factor when it comes to the rise in IoT security vulnerabilities is product design” hashtags=”IoT, Security”]
Another contributing factor when it comes to the rise in IoT security vulnerabilities is product design. Most consumers want and appreciate easy-to-use devices and this is often what helps one company gain an edge over its competitor. However, it comes at the cost of compromised security. Not only can the design of core software and passwords be uneconomical, but also anything other than a default password is widely regarded as too complicated for most consumers and therefore an unattractive consideration for companies.
And finally there remain serious issues around ownership, as it is not always clear who is responsible for ensuring the security of IoT devices. This disconnect within the production process means that security holes are being left open at all stages of the product development phase, resulting in physical vulnerabilities in the hardware as well as others within the operating system and at the application level.
While all of these issues are still a concern for new IoT devices, they are particularly damaging for the internet of ‘old’ things. The potential implications of leaving these devices unsecured include:
- The theft of personal information (e.g. family photos on a computer can be encrypted leading to ransomware issues)
- Loss of sensitive data (if a Wi-Fi router can be controlled then cyber criminals can easily steal data by acting as the ‘middle-man’ for online banking, Google or social media websites)
- Burglaries (Thieves can steal household belongings by using a computer to break into a home)
How to secure IoT devices
Admittedly, profit margins on IoT devices don’t pay for ongoing maintenance but by centralising the responsibility for updates, manufacturers can ensure their devices are protected against malicious threats.
By separating the hardware, the low-level software (i.e. the kernel), the operating system, and the overlaying software into independent components, both vital software and firmware updates can become increasingly automated. This ultimately maximises the overall security of the end device, with core updates running every time an IoT device is connected to the internet. By requesting digital authentication for all apps, if one app is hostile then the operating system will isolate that app to make sure no other damage is done to the device. As well as significantly reducing the risk, this approach makes the updates as pain-free as possible for both manufactures and consumers alike.
Raising awareness of security threats is an important and ongoing task but the reality is that many consumers aren’t as motivated as they should be to secure their devices. Addressing the issue needs to begin with the operating system and built up from there. At Canonical, we believe that the ability to update software reliably and automatically is absolutely crucial, particularly for older IoT devices that may become physically harder to access. In the company’s initiative, Ubuntu Core, delivers exactly that – free and automatic updates to both the operating system and related apps. In the increasingly app-focused IoT world, security is paramount and manufacturers need to deal with security threats right from the outset if they are to create devices that are just as safe for consumers twenty years from now as they are today.