When IoT devices are everywhere, the security headaches just get worse.
Billions more everyday items are set to be connected to the internet in the next few years, especially as chips get cheaper and cheaper to produce — and crucially, small enough to fit into even the smallest product.
Potentially, any standard household item could become connected to the internet, even if there’s no reason for the manufacturers to do so.
Eventually that processors needed to power an IoT device will become effectively free, making it possible to turn anything into a internet-enabled device.
“The price of turning a dumb device into a smart device will be 10 cents,” says Mikko Hyppönen, chief research officer at F-Secure.
However, it’s unlikely that consumer will be the one who gains the biggest benefits from every device their homes collecting data; it’s those who build them who will reap the greatest rewards — alongside government surveillance services.
“It’s going to be so cheap that vendors will put the chip in any device, even if the benefits are only very small. But those benefits won’t be benefits to you, the consumer, they’ll be benefits for the manufacturers because they want to collect analytics,” says Hyppönen, speaking at Cloud Expo Europe.
For example, a kitchen appliance manufacturer might collect data and use it for everything from seeing how often the product breaks to working out where customers live and altering their advertising accordingly in an effort to boost sales — and the user might not even know this is happening, if devices have their own 5G connection and wouldn’t even need access to a home Wi-Fi network.
“The IoT devices of the future won’t go online to benefit you — you won’t even know that it’s an IoT device,” says Hyppönen.
“And you won’t be able to avoid this, you won’t be able to buy devices which aren’t IoT devices, you won’t be able to restrict access to the internet because they won’t be going online through your Wi-Fi. We can’t avoid it, it’s going to happen.”
Indeed, it’s already started, with devices you wouldn’t expect to need an internet connection — including children’s toys — being discovered to have gaping cybersecurity vulnerabilities.
These scenarios, says Darren Thomson, CTO & vice president of technology services at Symantec, are occurring because those in the technology industry are thinking about whether they could connect things to the internet, but aren’t thinking about whether they should.
“Could I attach my dog to the internet? Could I automate the process of ordering a taxi on my mobile phone? We’re obsessed with could we problems. That’s how we live our lives and careers, we invent things and we solve problems. We’re good at ‘Could we’,” he said, also speaking at Cloud Expo Europe.
No matter the reason why things are being connected to the internet, Thomson agrees with Hyppönen about what the end goal is: data collection.
“The connectivity of those devices is impressive and important. But what’s more important is how that’s coming to bare across various markets. Every single sector on the planet is in a race to digitise, to connect things. And very importantly, to collect data from those things,” he says.
However, various incidents have demonstrated how the Internet of Things is ripe with security vulnerabilities as vendors put profit and speed to market before anything else, with cybersecurity very low down the list of priorities.
Retrofitting updates via the use of patches might work for a PC, a laptop or even a smartphone, but there are huge swathes of devices — and even whole internet-connected industrial or urban facilities — for which being shutdown in order to install and update is impossible.
“The security industry to date is predicated on the benefit of the retrofit. IT has designed insecure systems then we’ve secured them. That’s kind of OK in a world where a device can have some downtime,” says Thomson.
“But a car, a building, a city, a pipeline, a nuclear power facility can’t tolerate downtime. So if we don’t build security and privacy in to our designs from the very first whiteboard, we’re going to leave ourselves with a problem.”
Not only that, but as IoT devices become more and more common, people will start to ignore them
“The reality of the human mind is as we embed things, we tend to forget about them, we get complacent about them. Many of you are probably wearing a smart device on your wrist to monitor your behaviour and exercise routines. But no doubt two weeks after you started wearing it, you forgot it was there,” he says.
“The danger from a psychological perspective is that people forget about that technology and forget about the risks associated with it and our own personal mitigation of that risk.”
Even now, consumers are too blasé about connected devices, keen to jump on the latest technological trends failing to realise the associated security risks. Then even if they do, they remain unclear on how to secure the IoT devices — that is, if there is the option of securing it in the first place.
“Nobody reads the manual, especially to page 85 where it says how to change the default credentials, or page 90 where it says how to set up user accounts and restrict access to the admin interface, or page 100 where it says how to segment your network,” says Hyppönen.
He likens it to the “exact same problem we had in the 80s” when people wouldn’t even bother to set a time on their video recorder as it involved picking up the manual, so it’d end up always flashing 12:00.
It’s therefore important for the Internet of Things cybersecurity loopholes to be shut sooner rather than later so as to avoid nightmare scenarios where hackers could exploit vulnerabilities to attack anything from pacemakers and other medical devices, to connected cars to even entire industrial facilities.
But are IoT device manufacturers going to do this anytime soon? Probably not.
“The manufacturers of IoT devices are unlikely to fix this by themselves. They’re unlikely to start investing more money in their IoT devices for security because money is the most important thing in home appliances,” says Hyppönen
“When you buy a washing machine, price is the most important selling point. Nobody’s asking, ‘does it have a firewall or intrusion prevention systems?’ Cybersecurity isn’t a selling point for a washing machine, so why would manufacturers invest money in it?” he adds.
It might eventually be regulation which has to fix this problem; as Hyppönen points out, device safety is already regulated. “When you buy a washing machine, it must not short circuit and catch fire, we regulate that. Maybe we should regulate security,” he says.