A balancing act between usability and security
The most splendid technologies have been gradually creeping into our everyday lives before this question has been fully answered – just think of the rise of smart watches. Aside from disturbing you unnecessarily by vibrating while you are giving your business presentation, you can also use them to read mail, look up contacts, check your calendar and, soon, use them to pay for your cup of coffee. But even more importantly, the watch can count your steps, monitor your heart rate and even determine your sleep pattern. All the data is sent to servers 'in the cloud’.
Another concern is the security of the data: strong passwords simply are not always enforced in the modern IoT world. Even worse, not one of the devices I investigated offers the option of 2-factor authentication, but you can operate them all remotely or download data from them via the Internet.
Maybe I'm doing the suppliers of these types of device a disservice because they are primarily concerned with features and ease of use and they are not as security-minded as I am. But it's now clear that something has to change.
A study, published by HP2, showed a number of serious security gaps in a lot of smart equipment. Further investigation carried out made it clear that the software update systems for some of these types of system are not secure. Authentication to the download server was rated very weak and in some cases it seems it is even possible to modify the software on the download server.
It's a dream come true for cybercriminals who, when they read this report, will know exactly how to blackmail users by using software to start a fire remotely in someone's smart home, for example using the thermostat to turn up the temperature in the house to boiling point.
According to research, it also seems easy to instigate a brute force attack to get into the cloud interface of most systems. This allows a criminal to pose as the legitimate user and easily see whether or not you are home. Operating your security camera is just a nice bonus for the criminal.
Another problem is the poor encryption of the data that is sent between the smart devices. Passwords and personal data are easily available to someone with the right knowledge and tools. This also means that your corporate data can easily be intercepted: just by reading a work e-mail on your smart watch.
I advise manufacturers of smart devices to seek out co-operations with the security industry. It will not be very complicated to improve on some of the aspects highlighted above. The security industry already has experience in this so there is no need to reinvent the wheel. Consumers, on the other hand, will need to look more carefully at the potential security risks when they buy these types of device. The use of strong passwords for the applications is key to this. For businesses, a way of implementing a filter between IoT devices and the rest of the network seems sensible.
Fortunately there is still no standard for operating systems for smart devices, which at least has an inhibitory effect on malware writers (which operating system should they choose?). The drawback, though, is that there is still no security software for most smart devices.
I am convinced the Internet of Things will bring about much that is good. I can already hardly live without it. It is already making our lives easier. But there are still some essential security steps that are needed before I will recommend the use of smart devices to everyone.