The Internet of Things, or IoT for short, has been growing and will continue to grow. Some prognosticators estimate that there will 50 billion internet-connected devices by 2020, although other estimates (from people who are less prone to exaggeration) are around 20 billion. That is still several devices for every man, woman, and child on the planet. The spread of these devices feels like an unstoppable juggernaut. It seems as though anything and everything is having a chip inserted to connect it to the rest of the world, regardless of the value or wisdom of it.
Connectivity for connectivity’s sake
It’s too easy, and that’s part of the problem. Let’s say a wonderful new internet-connected doohickey hits the market and it sells like hot cakes from John O’Groats to Land’s End and beyond. Then, two years later, when there’s a doohickey in every living room, some ingenious miscreant finds a security hole in the doohickey’s software that allows them to take complete control over it, or maybe just acquire the unencrypted Wi-Fi password from the doohickey’s memory. If we’re lucky, then the doohickey manufacturer is still in business and can supply a fix, but it’s most likely not possible for them to fix every doohickey, or even a small percentage of doohickeys.
This example might not be relevant in a business setting: all of the devices can be gathered up and the firmware can be updated to resolve any issues. It would be inconvenient, but not impossible. But what if the company isn’t aware of the issue? Or if there isn’t a fix available because the manufacturer went out of business a couple of years ago? Or if the manufacturer is no longer providing fixes because they want everyone to upgrade to Thing v2.0 instead? These scenarios should be sounding quite familiar. The business could be stuck with the compromised devices, or might need to replace all of the devices at considerable expense.
Is it time for more oversight?
The best possible future for the Internet of Things would be for governments and organisations like W3C (who oversee internet standards) to start to recognise and discuss the risks, and begin investigating how to make improvements. This could lead to guidelines and regulations for manufacturers to adhere to so that the consumer could buy these devices with confidence that the vulnerabilities had been reduced to an acceptable level. However, despite numerous high profile security breaches, these discussions aren’t taking place, so the ball remains in the consumer’s court. We can only speculate at what level of severity an attack would need to be in order to spark this kind of debate, which is a chilling thought.
Keeping your devices secure
So how does one reduce the risk associated with these devices? The best advice is to not forget about them. Keep up to date with any updates that are released, keep an ear out for any news regarding the devices or the manufacturer, and consider when the end-of-life for the device should be. Also, we don’t need to make it easy for attackers by keeping the default passwords or PINs on these devices, because even the movie Spaceballs recognised that “12345” is not a good password thirty years ago.
