Mike Lynch, Chief Strategy Officer
The proliferation of IoT devices is skyrocketing. According to Gartner, approximately 5.5 million new IoT devices are connected to the internet each day in 2016, an increase of 30 percent from 2015, bringing the worldwide total to 6.4 billion connected things for the year. If currently growth rates hold, there will be almost three devices for every single person on Earth in 2020.
Imagine a scenario in the not-too-distant future where the next time you got in your car, it refused to start until you updated the software controlling the steering wheel. Now imagine your frustration as you waited for the update to download and install before you could drive to your destination.
Now imagine an entire day like that. You couldn’t watch TV until the latest security patch was installed, couldnt adjust the thermostat until it’s updated, and cant change the temperature inside your refrigerator until you enter a new, more complicated, harder-to-remember password. So you write it down. Either on your device or maybe on a piece of paper.
As a consumer, such a scenario would be unbearable. But such a future is not totally outside the realm of possibility. Some security experts believe that the end-user the consumer should be more involved in securing their own devices in an effort to protect their vulnerabilities. Vulnerabilities that were recently exploited in a big way back in October.
The enormous DDoS attack that brought down major internet sites last month including Amazon, Twitter, and Spotify was made possible by nefarious actors infiltrating thousands of everyday, internet-connected devices, infecting them with malware and using them to launch a powerful, coordinated attack on Dyn, a major internet infrastructure provider.
In a rush to get IoT products to market, security is often relegated to afterthought status. In this specific incident, thousands of devices were developed and distributed with ridiculously lax default user names and passwords like admin and 1234. Consumers unknowingly used the devices as is without changing or updating those passwords and the devices became an unintended tool hackers used to bring down Dyn.
In commenting on this attack, Alan Woodward, cybersecurity adviser to the EU’s law enforcement intelligence agency, Europol, said, “One thing all these devices should be doing is forcing users to change the default credentials when it is first turned on.”
Interestingly, he used the word “forcing.”
While its true the default user name and passwords security problem must be corrected immediately, whats not clear is whether forcing the average consumer to become their households IT specialist is remotely feasible.
People are already overwhelmed with technology. They are also frustrated with the volume of passwords they have to remember. While most people do make the effort to update their smart phones because that is their main communication device, it seems unrealistic to expect the average consumer to update everything in their home connected to the internetfrom the refrigerator to a baby monitor, to their router. And what happens when a security hole is discovered after the purchase? How will the patch be distributed? How will it be implemented? How can the manufacturer ensure it has been implemented? Does your organization just automatically perform periodic updates on all its connected devices?
What we really need to ask ourselves is whose responsibility is it to secure these devices and even more importantly, do we really want to leave security of the internet of things to the average consumer?
More Scrutiny Equals More Recommendations
Perhaps the only upside to this attack is that it brought heightened attention to the issue. As a result, many security and fraud prevention experts are actively debating the next steps to take to secure the Internet of Things.
The Online Trust Alliance (OTA) is an example. The non-profit recently issued recommendations to help consumers safely use and secure their connected devices. Their top 10 checklist outlines things consumers can do to protect themselves such as contacting their ISP to update routers and modems; changing their SSID to a more secure name, and where possible, implement multi-factor authentication to reduce the risk of your accounts being taken over.
Again, while it seems at first glance that such guidelines certainly have merit, its not realistic to expect consumers to first understand what is required of them in a technical sense (What’s two factor authentication? What’s SSID?) and then actively take part in the process of securing their own devices.
As any CSO or CISO can tell you, even employees that get regular training in security best practices at organizations around the worldincluding C-level executives still download things they shouldnt, fail to update settings, choose poor passwords, etc. Guidelines, mandates, and legislation can be used to encourage good security practices but, putting the onus on untrained consumers to secure these devices makes the risks of breaches even higher.
The Best Security is Invisible, Frictionless
While the Internet of Things has created many advantages for consumers, including added convenience, features, and increased control over the products they own, it has also opened up gaping security holes that can be exploited for nefarious purposes.
While a case can be made today that everyone is in security, there is too much at stake for manufacturers and technology companies in the security space to expect end users to take up the mantle of IT expert for their household.
Instead, organizations must come together and find ways shore up security gaps in these devices at the time of manufacturing. Security at its best is ubiquitous yet invisiblequietly protecting users in the background and working to make operations smoother with less friction. It is not forcing users to remember more passwords, fill out more forms, or locking them out of their device until they do an update. If this is the approach, consumers will most likely push back and ultimately, their dissatisfaction will drive competition for similar products with security. Smart organizations will create security differentiators for their products. They will have to in order to remain profitable in our always on, increasingly connected world.
About the Author
Michael Lynch serves as Chief Strategy Officer, where he is responsible for leading InAuths new products strategy, along with developing key domestic and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership. Prior to joining InAuth, Lynch served as a Senior Vice President for Bank of America, responsible for Authentication Strategy.
For more information visit: www.inauth.com