Dealing with the Internet of (insecure) Things

by Phil Kernick, Chief Technology Officer, CQR

A rapid rise of internet-connected devices offers huge potential benefits for businesses and consumers, however it's also sparking increasing concern among IT security experts. 

The connected devices that form the Internet of Things (IoT) come in a plethora of form factors and are designed to undertake a range of different tasks. What's less clear is now secure they might be.

One group of IoT devices comprises what could be termed 'dumb' items. These range from simple sensors that detect temperature or vibration to smoke alarms and movement monitors. More complex dumb IoT items include home automation and building monitoring systems, power meters and some medical equipment.

Another group of 'smart' IoT devices includes everything from mobile handsets and watches to cars, fridges and televisions. These have user interfaces that allow a human to control their functions and determine how they communicate with the outside world.

Accompanying these devices is an array of equipment that is already installed in many homes and offices. This includes network routers, storage arrays, wireless access points, printers, copiers and cameras. All are essentially personal computers in different form factors.

The IoT in action

Many people have not even begun to consider the services IoT devices will deliver in coming years, however the potential is clearly huge. According to a recent report from US-based carrier Verizon, the IoT market will grow by 35 per cent a year until 2020 when it will be worth $US1.16 billion.

In the home, automation will shift from being a complex novelty to the norm. Residents will be able to control everything from lights and appliances to security and monitoring systems with ease. Wall switches will become configurable and work with more than just lights. Heating and cooling will be adjustable from anywhere.

On the medical front, IoT devices will constantly monitor an individual's weight, blood pressure and  sugar levels and generate alerts if thresholds are reached. In hospitals, devices will relay data to central systems for analysis, alerting doctors when anomalies are detected. Even toilets and tooth brushes will become medical monitoring devices that can track personal health and spot problems.

The security challenge

While the benefits of IoT are becoming clear, less so are the security issues that will eventuate. Having millions of devices connected to the internet sounds like a great idea, but it also opens up new opportunities for hackers to cause disruption.

Consider the implications of a criminal taking over a home automation system, or disabling critical items in a hospital. They could also compromise video cameras or cause a connected car to malfunction.

One of the key issues is that device manufacturers have not been paying sufficient attention to the issues of security. They're focused on producing devices that are easy to use and cheap to purchase, however the task of making them secure comes a distant third.

In many cases, the challenge begins with the device's operating system. To keep costs down, manufacturers often opt to use an open source OS such as Linux and neglect to add any security layer. Many also use easy-to-guess passwords that users often fail to change.

The situation will become even more challenging as IoT devices increase in capability. Today, it's possible to get a fully functional personal computer on a device the size of an SD card and it costs about $20. In five years time, that same capability is likely to be the size of a grain of rice, cost around $2, and be five times as functional. It's not hard to imagine what opportunities that will open up for hackers.

Striking a balance

Making the IoT as secure as possible requires finding a balance between three factors: ease of use, cost of purchase, and security. It's easy to have two of those, but getting all three is a different matter.

Device manufacturers want their offerings to be easy to use and low cost, but they don't care so much about making them secure. Making them easy to use and secure means they'll need to have a higher price tag.

It's a situation that can be likened to the battle between Apple and Android. Apple has made its devices secure and easy to use, but they also have a premium price tag. Android devices, on the other hand, are also easy to use but are much cheaper. This has been achieved because there has been much less focus on security.

For the IoT to deliver on its promise of an interconnected, more efficient world, more attention needs to be given now on how devices can be made more secure. A failure to do this could result in anything from annoying outages in connected lights to life-threatening situations in hospitals. The time for action is now.