Every month, there are dozens of Internet of Things (IoT) devices being released, from “smart home” elements and sports trackers to bluetooth-enabled hearing aids and even pacemakers. The reality is, this sprouting won’t slow down any time soon… By 2020, the amount of wireless connected devices is expected to exceed 40 billion; nearly $6 trillion will be spent on IoT solutions over the next five years.
Many of those devices start as low-budget, kickstarted, or self-funded startups. Security is often overlooked for these companies since there aren’t many hacking precedents (just yet). Not to mention, a primary goal for most startups include getting to market as fast and effective as possible within the allocated budget, which doesn’t allow much bandwidth to give Security its due diligence. According to AT&T Cybersecurity Research, 90% of organizations lack full confidence in their IoT security.
It’s A New Era, For New Threats
As you can see from above, IoT can be found in any part of our lives. This introduces a whole new level of security threats, that could never have been achieved with sole web services and smartphones.
We’re now entering an era where the security part of things is going to become more and more important. As we look to the future, enhanced security integration will be a mandatory part of any IoT product development, and as always with security – time is of the essence.
Device Manufacturers Are Making It Easy For Hackers, Here’s How
1. Ecosystem: it’s a mess. You have no idea where your data is going and what third-party vendors are integrated into the service you’re using. The devices become interconnected. Love IFTTT? Now one device can compromise all the others.
2. Technology: it’s wild. It’s becoming more difficult by the day to find standardized solutions and practices adopted by everyone. You find yourself wondering, who built the hardware, is the hardware itself secure, and what about firmware updates? All the questions…
One compromised SoC/board can lead to millions of devices affected – with no straightforward way or defined practice to fix the vulnerability on all of them at once. Small devices are extremely slow when it comes to proper levels of encryption and decryption. Modern software libraries solve this problem, but take up a lot of device memory.
3. Ubiquity: it’s everywhere. You already have a handful of devices surrounding you at your home or office. In 5 years, you’ll be interacting with dozens of them every day. You’ll start to depend on IoT, rather than seeing it as a “nice to have”.
4. Learning Curve: it’s getting easier and easier to produce. Manufacturers can now create an “IoT Product” with little to no security, using the cheapest hardware, and flood the market with it. Even advanced BLE Engineering articles and manuals usually don’t mention any security practices, making it a very easy topic to avoid when you build your own thing.
5. Economics: it’s gotta make cents. Small budgets often mean producing a prototype that’s not secure enough. That might be ok for a prototype that only beta testers interact with, but proper security considerations must be applied before the product hits the market.
It’s Already Happening, And Has For A While
To give you a frame of reference as to how real these threats are, here are some examples.
TRENDnet IP Cameras were compromised due to having no authentication in their web interface for the live web cam stream. Even with authentications, many cameras don’t force users to change their default password, making thousands of cameras publicly accessible. TVs, wi-fi routers and at least one fridge were a part of a botnet of 100,000 devices, sending 750,000 malicious spam emails. Smart Homes get hacked all the time. What about medical equipment? You bet!
Hundreds of events like these can be found online every day. And what’s even more troubling is more devices are being hacked as you read this!
Whether you plan to build your own connected device, or just a casual user, IoT security is a topic you shouldn’t ignore. As the industry gets bigger, hopefully strict security practices will be put in place and engineers, product designers and managers worldwide will be dedicating their time toward making sure connected devices are properly secured. Meanwhile, be careful about what devices you let access to your life!