How insecurity is damaging the IoT industry

internet of things

The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today.

On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.

The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.

While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.

This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.

The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.

For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.

And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.

But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.

As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.

And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.

Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.

So whether you care about IoT or not, it’s in your interest to see it secured.

And as much as I love IoT, I’m sad to see the industry destroying itself.

So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:

  • Manufacturers should make security an inherent part of their development cycle. Security shouldn’t come as an afterthought but as an integral part of building any IoT or other connected device. And I’ve said this a million times.
  • Consumers should take their own security more seriously. Our lives are becoming more connected than before. Internet services and resources are more vital to our daily tasks than any other time in history. So we should be more vigilant about the integrity of the devices that are being connected to the internet and hold their manufacturers to account for the security shortcomings. (Security developer Edward Robles has shared some interesting thoughts on how we should change our mindsets toward security in this guest post.)
  • Governments must play a more active role in regulating and controlling IoT security. Standards must be set to make sure every single device that is shipped to the market and connected to the internet complies with a set of security standards and punish organizations that do not abide by the rules.

Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.

What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.

There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.

How do you think we should deal with IoT security problems? Share in the comments section.

Advertisements

7 comments on “How insecurity is damaging the IoT industry

  1. John Moor says:

    As you’re aware Ben, security in IoT is significantly more than a technical concern however that is where we must start. At the IoT Security Foundation the big idea is to build a supply chain of trust – and we’re creating the necessary framework and guidelines to support that concept. Before the end of 2016 we will be announcing the first releases of the framework / guidelines – they will be free to download and use and have been produced by security experts, engineers and seasoned manufacturers. In 2017 we will be promoting those more actively as we’ll have the supporting materials to guide both producers and users. We aim to address the two most significant issues of complexity and cost – we believe we have answers to both challenges.

    So our message is that work is already underway – we’d like to get more organisations and people behind the effort so we can accelerate the impact we can have – please come take a look and join the mission which will affect us all.

    Like

  2. Kris Aguilar says:

    Off the cuff, I think that there needs to be government regulation in place. I would want to argue that if the company makes a bad product, then it’s the company’s fault, but IoT products are flooding the market and like you said, people want “functionality over security” and companies either don’t know or don’t care. Even though the power houses Twitter and Amazon were taken down, I’m sure people who frequent those sites might not even know why they were taken down.
    Heck, it may not even be a company regulation problem, but a consumer education one. IoT has just grown so fast, that the consumer world hasn’t even recognized it.

    It’s a difficult problem to solve. One way to help could be setting up scanners, similar to metal detectors, that instead of scanning metal, scan your devices on you or in your bag for possible vulnerabilities or malware currently on it.

    Like

  3. kaguilar438 says:

    Off the cuff, I think that there needs to be government regulation in place. I would want to argue that if the company makes a bad product, then it’s the company’s fault, but IoT products are flooding the market and like you said, people want “functionality over security” and companies either don’t know or don’t care. Even though the power houses Twitter and Amazon were taken down, I’m sure people who frequent those sites might not even know why they were taken down.
    Heck, it may not even be a company regulation problem, but a consumer education one. IoT has just grown so fast, that the consumer world hasn’t even recognized it.

    It’s a difficult problem to solve. One way to help could be setting up scanners, similar to metal detectors, that instead of scanning metal, scan your devices on you or in your bag for possible vulnerabilities or malware currently on it.

    Like

  4. Ricardo says:

    I think talking of self-destroying is a little apocalyptic vision, nevertheless I agree with you that it’s needed to warning all of us about the security weakness behind the IoT implementations we are working on today and convene all the actors involved to work closely to create a more secure IoT platforms. I’m not completely sure if all devices needs to have their own security features, there are many security technologies able to enforce IoT, in my opinion create a broad security policy would give the visibility of process, people and technology involved in the IoT implementation, based on that wide and deep view we could chose the appropiate technology that best apply to each IoT implementation. Also we’ll work with process and more important with people, where all security systems has their biggest weakness.

    Like

    • Ben Dickson says:

      Good point Ricardo. And I do agree with you that calling it self-destructive is a bit apocalyptic and pushing it too far. I wanted to depict the extreme.
      In fact in a future post, I’ll be talking about the self-regulating nature of technology, which also applies to IoT

      Like

      • Ricardo says:

        I think you got your point, I reacted to your post…. hahahah..
        As we are hammers (tech guys) we see everything as nails and we try to solve all the problems from technology approach and we use to forget the other 2 part of the ecuation, process and people. Security leans a lot on human behavior and this must be consider in our security approaches.

        Like

      • Ben Dickson says:

        It does, and a lot of the security issues we’re faced with will be dealt with through change in behavior and not necessarily rolling out new tech

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s