Why it will take a horrifying breach to finally address IoT security weaknesses
If you look at figures from Accenture, I can see why so many people are enamoured by the possibilities and benefits of the Internet of Things (IoT) – 13% of homes already have one or more IoT devices and 69% will have an IoT device by 2019.
No one, certainly not me, said Pat Clawson of Blancco Technology Group, is denying there are inherent benefits of being able to control temperature, lighting and home security settings from a smart device. But all of this hype, excitement and hoopla around IoT has been somewhat shortsighted.
In the rush to be the ‘first to market,’ we’re seeing auto manufacturers pushing hard to integrate IoT into their latest vehicle models. While I was in Barcelona last month for Mobile World Congress, I saw elaborate displays and heard top executives from Ericsson, Fujitsu, Ford, Mercedes and Porsche talking about their latest connected products and initiatives.
But in all of these conversations and displays, there was little to nothing mentioned about how all of the data being connected to those products would be secured and protected. While this was disappointing, I cannot say I was all that surprised.
In one particular panel session at MWC titled “Securing the IoT,” I heard security experts from Intel, Philips Lighting, Telenor Connection and Sophos say not once, not twice, but almost a dozen times, “there’s no magic bullet when it comes to IoT.”
And many of the session’s panelists seemed preoccupied with IoT users’ exposure to software vulnerabilities and poor security practices such as the use of default or weak passwords. They aren’t alone in these concerns. Last September, the FBI issued a massive warning citing, “deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness.”
But when I see these kinds of warnings or hear experts talk about IoT, I keep wondering to myself: Those are valid security concerns, but what happens to the data when people move out of their connected homes, or sell their connected cars, return their connected rental cars and resell their smart alarm systems and thermostats to make some extra money? What types of safeguards can those products and their manufacturers provide to guarantee data privacy for users? What types of data removal methods are secure and reliable?
As easy as it is to say ‘there’s no magic IoT bullet,’ failing to go past that is a disservice to users. Steps need to be taken to shore up the many security gaps and weaknesses that exist in IoT – not just in terms of malicious attacks, but also in the very real and common scenarios of erasing the data when it’s time to discard or resell those smart products. And I know I’m not alone.
Each year around 11% of the UK population moves to new homes and with more and more people renting flats well into their 30s, that figure is only likely to increase. And the increasing popularity of sharing economy sites like AirBnB and HomeAway means many properties have a rapid turnaround of temporary residents. So we need to be building data removal capabilities into these products and services with the expectation that they’ll have multiple owners.
The devices themselves are often set up to routinely access and store data. They even proactively encourage us to connect them to everything from our mobile phone to our Facebook account, delivering a seamless user experience. For as long as a person lives in their home, there is a valid reason for such technologies to have these access rights.
But the moment a person vacates their home, these connected systems simply become an unnecessary data store that we no longer control. At this point, it’s imperative that we provide users with a simple means of ensuring all personal data is verifiably removed.
In the short term, it could become a real point of differentiation for IoT manufacturers wanting to reassure customers that they have built in the necessary data privacy controls. In the long term, I can only hope it becomes a condition of entry to the more established IoT platforms.
Most manufacturers have so far focused their efforts almost exclusively on ease of use and the customer experience. But users’ privacy needs to be given equal precedence. It’s much easier to build devices with such protections in mind than to try to retroactively enhance security protocols at a later stage.
I worry that the only way this will finally change is when a massive and horrifying breach occurs as a result of failing to remove data from an IoT product. If we keep going at the current pace, it could happen quite soon. Why does it feel like not enough companies and people are worried about this?
Making this a reality is perfectly achievable. But it requires a few things to happen. First, there has to be a true admission from both manufacturers and security experts that failing to remove data from smart/connected ‘things’ poses a very real and serious security risk to individuals. Second, it requires changes to the way products have traditionally been developed, launched and even marketed.
Going forward, IT and data science teams need to be invited to participate at the earliest stage alongside product developers, UX/UI designers and engineers. Only then will we have the full range of perspectives and skillsets required to boost adoption, protect personal information and improve the customer experience. And even in the marketing stage after a product is officially available for purchase, we need to see data removal and security become part of the messaging and advertising.
The author of this blog is Pat Clawson, CEO at Blancco Technology Group.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow