Gradually, almost without anyone realizing it, IoT devices have become an indispensable part of our everyday routine, bringing unprecedented levels of convenience and making our lives easier and more enjoyable. Aimed not only at adults, but also children and pets, IoT devices come in all shapes and sizes, ranging from smart TVs, thermostats, locks and security cameras to children’s toys, baby monitors and pet trackers. The way things are going, almost every device in our homes could soon be equipped with sensors and connected to the internet.
However, all that convenience comes with one major drawback. IoT devices are notorious for their lack of security, mostly because manufacturers tend to neglect that aspect in the rush to get their products to the market as soon as possible and capitalize on this new opportunity. Implementing strong security features is very expensive and time-consuming, so manufacturers will often choose not to go through with it, leaving these devices exposed to attacks from the outside.
The number of IoT devices could reach 28.5 billion by 2022
The number of IoT devices has increased exponentially in recent years, and this trend shows no signs of slowing down anytime soon. In fact, networking hardware company Cisco predicted that there will be 28.5 billion connected devices in the world by 2022. Even today, it would be very difficult to find a household that doesn’t have at least one connected device. Cisco also estimated that the average number of connected devices per person will grow to 3.6 by 2022. North America is expected to spearhead the trend with 13.4 connected devices per person, followed by Western Europe with 9.4.
As the number of IoT devices increases, so does the number of cyberattacks directed at them. According to cybersecurity company Kaspersky Lab, there were three times more attacks on connected devices in the first half of 2018 than there were in the entire 2017. Previously, in the period between 2016 and 2017, the number of attacks increased 10 times, indicating a troubling upward trend that’s set to become even more pronounced in the coming years as IoT devices become more ubiquitous.
How dangerous are unsecured IoT devices?
There are a number of ways manufacturers can leave IoT devices vulnerable to hackers, but the most common involves assigning weak default login credentials. Even worse, those credentials often can’t be changed, and even if they can, users are rarely prompted to do so. This allows hackers to easily obtain them, sometimes with nothing more than a web search, and take control of the compromised device. The infamous Mirai botnet attack of 2016 still serves as the best example of just how dangerous unsecured IoT devices can be. It was the most disruptive distributed denial-of-service (DDoS) attack in history, in which hackers gained control of more than 100,000 poorly secured IoT devices and used them to launch a sustained assault on the leading DNS provider Dyn, taking down numerous important websites in the process, such as Twitter, Netflix, Amazon and CNN.
However, IoT devices aren’t used just to launch DDoS attacks. Hackers are also increasingly using them to attack consumers directly and steal their personal data or use their systems to mine cryptocurrencies. Princeton University recently conducted a comprehensive study of more than 50 consumer IoT devices, including smart TVs, security cameras, smart lightbulbs, smart smoke detectors, sleep monitors, smart blood pressure monitors and children’s toys. The study revealed that many of the devices tested lack even basic encryption and authentication features, allow attackers to infer user behavior from encrypted traffic metadata, or communicate with third parties without users’ knowledge.
The lack of regulation is one of the biggest issues associated with IoT devices, but things are starting to change in that regard as well. The U.S. government was among the first to take the threat posed by unsecured IoT devices seriously, introducing a number of IoT-related bills in Congress over the last couple of years. It all began with the IoT Cybersecurity Improvement Act of 2017, which set minimum security standards for connected devices obtained by the government. This legislation was followed by the SMART IoT Act, which tasked the Department of Commerce with conducting a study of the current IoT industry in the United States.
Furthermore, California recently became the first U.S. state to pass an IoT cybersecurity bill, which will require manufacturers to equip all connected devices with reasonable security features. While the bill doesn’t make it clear what those reasonable security features are exactly, it does specify that devices that allow access from outside of a local area network need to have either a unique default password or prompt users to choose their own during setup. Although it’s been criticized by some cybersecurity experts for being too vague and simplistic, it nevertheless marks an important step towards making IoT devices more secure.
Other governments are also stepping up their efforts to protect consumers from this growing threat. The UK government released the Code of Practice for consumer IoT security in October 2018, which sets forth guidelines for improving the security of consumer IoT products and associated services. Similarly, in November 2018, Germany’s Federal Office for Information Security published its suggestions for minimum security standards and features required for broadband routers.
The number of IoT devices continues to increase at a rapid pace, and it’s becoming increasingly clear that this technology is here to stay. While they provide numerous benefits, IoT devices also come with a variety of security and privacy concerns. Until manufacturers raise their standards and invest more in implementing strong security features, businesses and consumers will have to do their own part to ensure that the devices they bring into their workplaces and homes aren’t a security risk. The best way to do that is to purchase IoT devices exclusively from manufacturers with a proven track record when it comes to security; use unique, strong passwords for each device; and always keep software and firmware updated. Even that won’t be enough to completely eliminate the threat, but it will at least minimize it.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.