IoT devices have fundamentally changed the way both businesses and consumers function. Personal fitness trackers, digital cameras, home-grade Wi-Fi routers and drones have all weaseled their way into our daily lives, and enthusiasm for the technology shows no signs of slowing down. In fact, Gartner estimates that more than 20 billion IoT devices will be deployed by 2020, and IDC predicts that global IoT spending could hit nearly $1.4 trillion by 2021.
One of the biggest risks to IoT is that there are currently no security standards for the hundreds of new IoT devices that flood the market each year. For e-commerce, we rely on SSL to consistently secure our devices. For computers and other devices in the enterprise, communication between machines and with servers is protected via decades of standards from NIST to ISO 27001. IoT devices, however, are largely left unsecured, with most products being produced in China with little regulation. Worse, end users are often completely unaware of all the sensors IoT devices include and the ramifications they may have for privacy, such as a smart lightbulb that also records video and audio by default, for example.
Overcoming IoT security hurdles
There are a few reasons why IoT security leaves so much to be desired. Since IoT devices tend to be on the smaller side, e.g,. thermostats or watches, it can be difficult for them to handle complex software patches and updates, especially compared to more powerful computers or servers. IoT devices are also usually built with proprietary hardware and customer software, making it even more challenging to manage IoT devices, push updates and effectively enforce access control. Another major issue plaguing IoT security is the collective rush of manufacturers to deliver new IoT products ahead of their competitors. As a result, most manufacturers end up favoring ease of setup/use over adequate security.
To prioritize comprehensive IoT device security and better protect both businesses and consumers from IoT devices that are often unknowingly brought into workplaces and homes, retailers must begin to feel a sense of responsibility to protect consumers. In particular, leading retail organizations like Best Buy and Amazon need to set a precedent of evaluating IoT device security before selling these products on the U.S. market. Implementing a retail-driven security certification of approval would go a long way in protecting end users, and even better, it would incentivize IoT device manufacturers to improve their product security.
IoT-based DDoS attacks require action
With malware like Mirai and Reaper exploiting vulnerabilities in IoT devices and crippling entities that depend on internet services, retailers need to act now. In fact, the National Institute of Standards and Technology (NIST) Department of Commerce just issued a call for vendors to provide product and technical expertise to support and demonstrate security platforms for mitigating IoT-based distributed denial-of-service attacks. Although open to any organization, it behooves retailers to participate and collaborate with technology companies to address the challenges identified by NIST. The project plans to produce a NIST Cybersecurity Practice Guide, so retailers also have an opportunity to help draft tactical tips that could help consumers and businesses mitigate IoT-based automated distributed threats that prey on connected devices and networks.
If retailers continue to turn a blind eye to IoT device security, all of us stand to suffer. Businesses will lose millions in revenue, not to mention hard-won customer trust, and consumer privacy will remain in jeopardy. Retailers must establish a security certification of approval for IoT devices and work to address potential vulnerabilities before any trouble can rise. Perhaps most importantly, retailers need to form close alliances with manufacturers and work together to make IoT devices as secure as possible throughout the entire product lifecycle.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.