One of the downsides of the Internet of Things (IoT) is the often flimsy security that comes along with them. This is especially true on the consumer side. Before we ever heard of the IoT, there was M2M (Machine to Machine). Security was a concern because M2M was doing important “stuff” – e.g., supply chain management, traffic control. Many IoT apps are consumer based and are not considered especially critical. More focus is typically paid on the user experience than on the apps technical underpinnings. The developers of these apps aren’t likely to be security experts, and they may be working on their own or part of a small team without deep security knowledge. Thus, in many cases security gets short shrift. Overall, whether the “things” in the IoT are in your house or on your person, or in industrial, transportation, or health care setting, security needs to be factored in.
An article by Ben Dickson that appeared in Tech Crunch earlier this week took the security issue on.
He led with an interesting finding:
“According to a survey by Auth0 [an identity management company], more than 50 percent of consumers and 90 percent of developers are skeptical about IoT security. (Source: Tech Crunch)”
Securing the IoT will be a complex endeavor, and to help us parse through the issue, Ben broke things down into a number of categories (and lists some vendors, which I won’t get into here).
Dealing with network connectivity threats. The fact that IoT devices are always on/always connected “makes them especially vulnerable to breaches from outside attackers or from compromised devices sharing the same network.” Given lack of security expertise on the part of many IoT app developers – and the pressures they feel to get products quickly to market – the answer may be ready-made, off-the-shelf network security packages that can be plugged and played.
On device data protection. Some data needs protection more than other data. (You probably care more about your health information than you do about info on what sports teams you follow.) Encryption technology will be moving onto IoT devices.
Device isolation. “Without isolation, IoT devices allow attackers to move laterally across a network after they gain an entry point. This way, hackers infiltrate one device and start probing the entire system until they find the real prize, e.g. a database or repository that contains sensitive customer or business data.” To remedy this situation, one company Dickson mentioned is developing a home WiFi router with a built-in intrusion detection system.
Other security issues include the number of IoT devices on which the firmware can’t be patched or updated; another is all that data being grabbed from IoT apps and sent to the cloud.
Lots to think about here…