Security in an IoT world
For the past couple of years, more and more plug and play smart devices have emerged in the market so you can create your own smart home via your Wi-Fi network. Everything from connected baby cameras, sound systems, light bulbs, thermostats, fridges, and even electric coffee machines and kettles are now available. Even when I personally don’t (immediately) see the added value of some of these new additions, my gadget-loving heart secretly still wants to have them. But for the most part, I’m still holding off because there have been more than a few occasions where it turned out that although the device did what it was purchased for, it also did something more: it made your network vulnerable.
It turned out that a connected kettle could be very easily convinced to give out your Wi-Fi password, exposing your entire network. It also turned out that the iKettle (or its app) had little to no security measurements built in and it is not the only smart device with such problems. This has been proven by other instances of connected devices gone wrong such as Wi-Fi connected fridges and light bulbs which were also easily hacked to give up the password to your Wi-Fi network. And I believe we often do not realize that there lies a double threat: not only can someone gain access to your network and steal basically anything they want from your online activities, but they can also gain control of the network and its devices and use it in DDoS attacks (attacks where an online service is overloaded with traffic to crash it) or other criminal activities.
So now that we live in an IoT world where the number of connected devices is rapidly growing both in our personal and professional lives, the topic of security is more relevant than ever. But how do you protect yourself? Well, I’ve tried, but to be honest, anything I did is probably no match for someone with good skills and some determination to get in. Now, I’ve sort of accepted this risk, reasoning that A] there are very likely easier targets around me (networks without any security etc.) and B] even if they succeed I won’t lose too much sleep over old school assignments or holiday pictures made public. I wouldn’t like it, but there’s nothing too incriminating to be found. This thinking is probably also what made the iKettle vulnerable: if someone successfully hacks it, what are they going to do? Boil water? But this thinking did not take the second risk into account: having a stranger boil you some water was not the worst case scenario. Gaining access to the entire network with the Wi-Fi password, making it possible to steal all of your other online passwords as well or even to use all your connected devices for DDoS attacks was. Hackers are creative thinkers, so product developers and security experts should be too.
I do still need to do everything I can to protect my own network, but I do believe I can only protect myself up to a certain level. Or I shouldn’t use any connected devices at all, but I think that ship has sailed for the most part. So this means I also have to trust in designers, developers, and manufacturers to keep me and the (online) world safe. Security has to be a top priority for any connected device released to market. However, deadlines and pressure to release products quickly often push security to an afterthought: as soon as the product does what the packaging says, people, want to see returns on their investments. Probably even more true for crowdfunded start-up companies, who may also just lack the experience and knowledge to take proper security into account.
So far this article has discussed items that are mainly used in people’s personal lives. We’ve seen the risk there and because it is personal, because it could directly affect you, it is scary. But the impact that the professional IoT world could have on this, is so much bigger. As more and more companies are starting to connect their equipment (as the IoT truly offers some wonderful opportunities), exponentially growing the number of connected devices, we do have to make sure that security is the top priority it should be all around.
Anyone in the market for devices to connect their home, equipment, buildings or fleet of trucks or anything at all, has to ask potential vendors or partners about security risks and the measurements taken to prevent breaches now and in the future. This goes deeper than the physical device itself; it also applies to the database the data is stored in, websites or software using and displaying that data, basically do anything that is part of the chain. Information is key in cases like this. Companies (and people) need to be aware of the risks a connected world has. Not to then be scared of it and avoid it, but to prevent issues by insisting on proper security measures and improvement whenever possible. Thinking ahead about it is better for the bottom line too in the end. With sometimes little attention to potential security issues, they are often only found once it’s too late and the cost of fixing the issue in the field is usually much higher (estimated at 5 times) than if it was addressed during product development or implementation.
Using unprotected connected devices is almost like inviting the bad guys in. Companies and consumers need to demand the best possible protection, even if it means sometimes waiting a little longer or paying a little more, giving developers and manufacturers the chance to fully test their products – not just functionally but also from security standpoints. A risk-free world does not exist, but being aware and making it a priority is how we can move forward with trust in an IoT world and that’s how all of us can benefit from it in the end.