IoT is one of the largest growing markets with 5G rollout encouraging even more products to hit the market. However, questions still remain, is the security robust enough? This article investigates whether IoT is ready for its own future …
According to predictions by IoT-Analytics GmbH , end user spending on IoT will reach up to $1.5 trillion by the year 2025, up from $110 billion in 2017. This shows the incredible growth projection for IoT. In conjunction with 5G rollout and edge cloud computing, IoT could really thrive. From self-driving cars to smart homes, IoT has the potential to change the world as we know it. However, is IoT ready for these developments?
IoT has had problems in recent years. In 2016, the Mirai malware was used to cripple the infrastructure of major websites including Twitter, Netflix and GitHub. This malware targeted internet enabled security cameras and similar devices to create a botnet. This was then used to launch a Distributed Denial of Service (DDoS) attack. This kind attack co-ordinates many devices to send huge quantities of internet traffic to websites to try and slow them down or disable them. This can only occur if someone has control of large numbers of devices, as in the 2016 attack. The Mirai malware targeted the flaw that these devices had common default log in details, which the consumers failed to change. This is just one of the examples of IoT devices being hijacked globally to attempt to cause large scale outages.
Another example of poor IoT security was in the CloudPets data breach in 2017. CloudPets was a company that allowed people to send recorded messages to young family members via a teddy bear, mainly targeting working parents and grandparents. The problem here was that the account system for this toy did not have password rules, meaning that most people chose a password that was very simple, resulting in an estimated 820,000 accounts using the password ‘Cloudpets’. This is a prime example of how a lack of simple security measures can cause widespread privacy concerns.
Furthermore, IoT suffers from a lack of industry standards. Currently, each company may have their own set of rules and therefore self-regulate, making it difficult for the consumer to know which device is safer. Because this means that security is not usually a point of competition for these companies, they may have no economic incentive to invest in security; it has no additional value for them. This is likely to continue because most consumers now view good device security as standard and so are less willing to fork out for better security on their devices. For example, according to a report done by McKinsey, 42% of semiconductor companies say that consumers are expecting a year on year decline in the price for their next tier of enhanced chip security. This shows differing expectations between the chip suppliers and consumers.
There is hope, however. Microsoft have recently announced the acquisition of CyberX, a cybersecurity platform which claims to be at the forefront of reducing IoT risks. This is extremely important step as it shows one of the largest organisations in the world addressing the problem of IoT security, which hopefully will encourage others to do the same. Microsoft have stated that “CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, Operational Technology and infrastructure scenarios”. CyberX is part of a growing number of companies looking at securing IoT products already out there, showing the demand for secure IoT devices is there but the supply is falling short.
The government are also catching up. A report named ‘Secure by Design’ was published in 2018 showing the UK governments ‘Code of Practice for Consumer IoT Security for Manufacturers’. This report has many recommendations including 13 statements which outline a code of practice for manufacturers. These statements included ‘no default passwords’, ‘implement a vulnerability disclosure policy’ and ‘keep software updated. The entire report can be found here. This report shows how the legislature have slowly realised the dangers of an unregulated IoT market which could wreak havoc in the future if threats were not neutralised.
In early 2019, the European Standards Organisation (ETSI) launched a similar report which outlined an industry standard on consumer IoT devices. These premises have been built on the ones in the UK government report, although adapted for both European and wider global audiences. This has culminated in the UK government indicating (in early 2020) that they will attempt to pass a new law to “protect millions of users of internet-connected household items from the threat of cyber hacks”. This is amazing news and will hopefully have a large impact on the IoT market making it safer and more reliable.
More recently, ETSI have just released a new European standard for consumer IoT, named ETSI EN 303 645. These standards list 13 provisions, similar to the UK government report, on the security of internet connected consumer products which aim to provide a single objective for both manufacturers and stakeholders to obtain. Hopefully this will pave the way for IoT security to be at the forefront of our minds.
In conclusion, it is clear to see that IoT still has some way to go to in terms of the security side, if it is to be widely adopted around our life. Conversely, the recent news on Microsoft, the UK governments agenda and the ETSI standards shows that organisations, governments and standards authorities are taking notice and action, which will hopefully ensure that IoT will be safe and secure for the years to come.
Sources: iot-analytics.com, microsoft.com, cyberx-labs.com, gov.uk, arubanetworks.com, hpe.com, mckinsey.com, internetofthingsagenda.techtarget.com, techgenix.com, etsi.org, kaspersky.com. All accessed on 02/07/2020.