IoT devices like Fitbits, pet trackers, and smart TVs all make your life easier and more convenient. But since these devices store your personal data and communicate with a lot of other internet-connected devices, your privacy is more vulnerable than ever before.The Internet of Things is notorious for having weak security, even though the technology harbors some extremely sensitive information. And cyber criminals are definitely aware of this vulnerability -- IBM reported that criminal IoT compromises have exploded by 600% this year.
But despite the technology’s major security risks, Gartner expects consumers to possess over twice as many IoT devices in 2020 as they do today, increasing the number of world-wide IoT devices from 11 billion to 26 billion.
It’s clear that IoT devices’ convenience and savings prompt consumers to keep buying them, despite their associated risks. But if IoT products are more popular than ever right now, why aren’t vendors scrambling to fix their products’ security issues?
Revenue Trumps Security
The rush to release products in the booming IoT market is similar to the personal computer craze in the mid-90s. Businesses wanted to reap the rewards of selling computers that had their own software and operating systems before they missed out on a massively profitable opportunity.
To quickly develop these new personal computers, release them, and, ultimately, cash in on them, they decided to put their computers’ serious security issues on the back-burner. They could worry about them after they made enough money.
But making security an afterthought placed an enormous amount of risk on these businesses’ customers. Viruses, worms, and spam could easily infect their computers’ software and operating systems, allowing cyber criminals to infiltrate people’s personal computers and steal their data.
In the flourishing IoT market, which is bolstered by a forecasted global market value of $1.7 trillion in 2019, businesses are also scrambling to enter before it’s too late. Unfortunately, though, one of the fastest and cheapest ways for companies to develop and release IoT products is by turning a blind eye to the strength of their devices’ security. Building strong security into IoT products is expensive, could hamper the devices’ speed and abilities, and would slow down their development and release.
IoT vendors can gloss over their devices’ security in various ways, but one of the most fixable problems they have is hard-coding weak usernames and passwords into their products. This means they permanently assign incredibly predictable credentials, like “admin” or “12345” to their customers’ IoT devices. In fact, cyber security researchers at Symantec discovered that over 60% of IoT devices’ passwords last year were “admin” or “12345”. And since consumers can’t change these predictable credentials, hackers can easily guess their devices’ passwords.
Another reason why IoT vendors want to develop and release their products so quickly is that it allows them to collect as much consumer data as possible. Gathering hoards of this precious information will help businesses improve their IoT devices and generate more revenue in the future.
The fate of IoT is worrisome, to say the least, and its wobbly security naturally begs the question: what are the current and future risks of such an insecure technology?
Current and Future IoT Security Threats
For now, the Internet of Things is relatively secure. Hackers can’t exploit the technology to blackmail people or devastate entire organizations because most internet-connected devices are built on different platforms, operating systems, and use different programming languages. Developing malware attacks for every type of IoT device isn’t feasible or worth a cyber criminal’s time.
According to Forrester research, though, as IoT grows in popularity, its security will become weaker.
An ever-expanding Internet of Things will need to integrate with the public cloud, which will give hackers access to consumers’ personal data and open the technology up for more malicious attacks. For instance, cyber criminals could hack your smart car while you’re driving and threaten to disable your vehicle in the middle of the road unless you pay them a ransom. They could also hack systems that deliver water and power to your workplace and threaten to destroy it.
It's important to note that major IoT attacks like the example scenarios above aren’t a possibility now. But even though cybercriminals currently can’t orchestrate catastrophic IoT security breaches, they can still exploit your smart devices’ vulnerabilities to access other systems connected to it. For example, if your smart fridge can order groceries from the local supermarket, then your bank information is stored in the fridge’s network. In turn, people who hack your fridge could access your funds.
IoT devices are already commonplace, and soon, almost every business that sells household devices will connect their products to the internet. This way, they can collect as much consumer data as possible.
But if IoT companies think they can gather unprecedented amounts of data from their customers and not make a concerted effort to shield their personal information from malicious cyber criminals, they’ll lose their customers’ trust and business. For the sake of retaining loyalty, revenue, and their own decency, IoT vendors need to start strengthening their devices’ security before hackers ruin the industry’s public perception for good.
How Companies Can Protect their Customers from IoT Security Threats
In 2017, the U.S. Government passed the Internet of Things Cybersecurity Improvement Act, which sets security standards for IoT devices that vendors can sell to the U.S. Government. The bill requires IoT vendors to ensure that they can patch up any of their devices with new security updates, they won’t hardcode their devices’ passwords, and they won’t sell devices that have any known vulnerabilities.
While the Internet of Things Cybersecurity Improvement Act is a huge step forward for strengthening IoT security, it really only protects the Government from IoT security threats. Businesses should prioritize the everyday consumer’s security just as much as the Government’s, but this movement is off to a slow start. IoT vendors like Amazon are currently building IoT security solutions, but their products are all still in the early stages of development.
Some cybersecurity experts suggest forming a partnership between the government and the cyber security and intelligence communities could bolster the technology’s security. Together, they could determine the best set of security protocols for IoT devices and pass these regulations into law.
Hopefully, the government can help protect consumers from IoT security threats soon, but before you bank on them to protect your devices and data from malicious hackers, check out these five ways you can rely on yourself for protection.
How Consumers Can Protect Themselves from IoT Security Threats
1. Choose reputable IoT device vendors.
You might have to pay more for a reputable vendor’s products in the short-term, but their commitment to security will save you money and maintain your peace of mind in the long-term. That said, if you don’t know if you can trust a reputable IoT device’s security, don’t connect it to the internet.
2. Immediately change your devices’ login and password.
Hackers can easily find most IoT devices’ default passwords online. To protect your devices and data, use a password manager like LastPass to generate a random password for each of your IoT devices -- they’re nearly impossible to crack.
3. Always update your devices’ and connected systems’ software to its latest version.
When IoT vendors discover vulnerabilities in their products, they will issue software updates, or patches, to fix them.
4. Separate your home IoT devices from your business IoT devices.
If a cybercriminal hacks your home network, you don’t want them to be able to access even more of your personal data, like information about your work.
5. Limit the number of devices you connect to the internet.
Does every appliance in your home need to be smart? Once you connect a device to the internet, it connects to millions of other computers, allowing cybercriminals to hack your device.
More Security, More Money
Inevitably, companies who sold personal computers in the mid-90s didn’t leave their products plagued with vulnerabilities. They ended up fixing their security issues. And more than 20 years later, business is still booming. If the IoT market wants to live a long, prosperous life like their digital counterpart has, they must follow suit. Because even though shoring up security might cost IoT companies more money now, it’ll help them gain more trust, loyalty, and revenue for the future.
Originally published Aug 31, 2018 6:00:00 AM, updated October 23 2018