The Consumers Electronics Show in Las Vegas has just wrapped for another year. And in amongst the weird and wonderful innovations were a series of announcements that pricked the ears of the security and privacy communities.
Late last year, malware commandeered control of millions of connected devices in one of the first global IoT attacks. The code was then adapted, released publicly and used to attack other companies. This was a wake-up call for everyone involved as connected device vendors and ISPs realized that their security needed to be improved. The attack was so powerful as default admin passwords on devices were easily guessed rendering them instantly controllable by malicious actors.
Security in the IoT
In response, a number of companies were showcasing new routers at CES that could help detect when devices were behaving strangely. Symantec announced the Norton Core that will analyze each packet of data for suspicious activity and subsequently quarantine devices or data if anything is detected. Bitdefender’s Box takes a similar approach in that it too looks for vulnerabilities in network ports, the presence of any unknown back doors and weak passwords. It will then alert the user about the steps to take to protect their devices and data.
Hopefully ISPs will take note of these new solutions and start to integrate them into their own routers and gateways for customers. For now, it seems that most consumers are entirely unaware of the IoT botnet threat and are unlikely to invest in a security solution. Perhaps it will take a global hack of consumer devices that disables security alarms, opens webcams for prying eyes or thermostat manipulation to make people notice.
Gartner’s Market Guide for IoT Security is a good starting step for any enterprise looking to embark on projects involving connected devices.
Privacy in the IoT
The undoubted star of CES was the Amazon Echo with its Alexa virtual assistant. Dozens of companies announced services that would connect with the Echo to automate parts of our lives. The promise is obvious – control your home with just your voice. A big part of why the smart home has yet to truly take off is that people have had to interact with their devices through mobile apps. This is fine if you have one or two apps controlling your lights or heating. But when you start to add in home security cameras, kitchen appliances and entertainment systems, the simplicity and elegance quickly falls away as you (and any others in your home) have to have all the apps installed, and your phone on hand at all times.
The issue that now arises is that to work, devices like the Echo need to be listening continuously for a trigger command to operate. Amazon has been very open about how it manages and transmits data. Before it hears the wake-up word no data is sent to the cloud. Once it hears the question or request, it sends an encrypted message to get the information it needs. Users can also login to the Amazon website and delete information sent by the Echo.
It is hard to tell if other companies will be as scrupulous in handling customer data. It seems the debate about privacy and the IoT is just heating up. The more open you are about letting third parties have access to your email, calendars, photos, messages and appliances in your home, the more useful they are. But at the same time, you inevitably forego control of your data for the convenience. A fine line to walk, and no doubt a big theme of discussion for the year ahead. Regardless the application, there’s a simple three-prong approach that any organization can take for implementing IoT security: secure the device, secure the cloud, and manage the lifecycle of security.
2017 promises to bring the consumer Internet of Things closer to its promise. But there are issues that need to be addressed if its potential is to be realized without painful breaches and attacks occurring in the interim.