Vendors, retailers, and users need to act together to “avoid digital disaster” caused by insecure IoT devices, warns a tech security group.
Failing to tackle the insecurity of the Internet of Things and connected devices could lead to the technology’s weaponization, resulting in irreversible consequences for us all.
Incidents including the Mirai IoT botnet cyberattack and stuffed toys being found to leak unsecured personal information onto the open internet have demonstrated how security around the Internet of Things is still immature, despite how these devices are proliferating in our homes and workplaces.
In order to prevent the long-term consequences of insecure IoT devices resulting in property damage, theft, or even physical harm to people, tech industry body the Online Trust Alliance (OTA) has called on the technology sector, businesses and industry, the government and consumers to come together to “avoid digital disaster”.
The call comes in the OTA’s new report, Securing the Internet of Things: A Collaborative & Shared Responsibility, which warns how “too many IoT devices appear to be designed primarily for convenience and functionality while long-term security is conspicuously absent”.
The report comes shortly after the World Economic Forum warned about the potential threats to society from IoT hacking.
Likening the risk to global warming or industrial pollution, the OTA warns that there will be long-term consequences resulting from failure to deal with IoT threats and that lack of action has already “created a treasure chest ripe for abuse by white collar criminals, terrorists, and state-sponsored actors as IoT devices become weaponized”.
“All too many connected devices sold, ranging from automobiles and thermostats to children’s toys and fitness devices, have insecure remote access and controls. By default many collect vast amounts of personal and sensitive information which may be shared and traded on the open market,” warns the report, which notes how many of these devices don’t have the functionality to remove personal data if they are sold or lent out.
As voice-enabled devices like Amazon Echo and Google Home take off, a lack of sufficient user authentication on these assistants could be exploited the report warns, as demonstrated by incidents where home assistants have bought items after hearing instructions from children or even voices on television.
If this sort of risk isn’t curbed, the OTA suggests that we could get to the point where people could issue commands to devices in the home or workplace by yelling through a window or leaving a message on an answer machine. If they ask devices to unlock the doors, outsiders could potentially walk right in.
“It does not take much imagination to realize the risk and impact of physical harm which could occur,” the report warns.
In order to combat this risk, the OTA calls for both the public and private sectors to work together to ensure security is built into Internet of Things devices as “all stakeholders bear a responsibility”. This includes retailers, developers, ISP providers, regulators, government, and consumers.
The OTA argues that the IoT shows a lot of promise, but in order to protect users, action is needed now to “maximize the security, privacy and vitality of all IoT devices”
“Acting now will help prevent and mitigate the risk of a digital disaster. We all have a role and responsibility to address security and privacy,” the report said.
It said retailers and resellers should help “in setting baseline security and privacy measures for the products they profit from”. Meanwhile developers and manufacturers should disclose their security support commitment to users prior to purchase and “clearly articulate their security and privacy policies”.
In addition, sellers of homes and cars should be encouraged to disclose all such devices and features, disable their access, and provide new owners the ability to re-set them, turn in their physical and digital keys, and remove all personal data.