Along with the growing popularity of IoT devices, from fitness wearables to smart fridges, comes increased security and privacy issues. Mounting data breaches and device vulnerabilities have prompted wariness around IoT adoption. The latest Intelligence of Things (IoT) Tracker details how these concerns are driving providers to develop new security approaches.
Who’s Responsible for Smart Device Security?
Even items that seem benign or even wholesome, like lawn sprinklers and robot vacuums, can be prey for hackers.
PYMNTS spoke with iRobot SVP and CIO Mike Tirozzi and Director of Product and Data Security Mike Gillen about keeping devices secure.
“We know the landscape is going to change, the players are going to change [and] the attacks are going to change as well,” Tirozzi said.
Companies should continually update software on deployed devices to protect against any new attacks that could emerge, they said, and work to safeguard them from vulnerabilities introduced by other smart devices that share the same home network.
IoT devices also must be secured against the malware and other threats present at the time of manufacturing, as well as those that may be developed long after the products are released. Device security is something that should endure the product’s entire lifespan. Manufacturers must continually monitor and update their devices’ software to stay ahead of evolving cyberthreats.
“You’ll likely have connected devices where the company that makes them goes out of business,” Gillen said. “[Those] devices aren’t receiving updates anymore because the company doesn’t exist … but they’re still connected in customers’ homes. … Those devices may live on beyond companies’ abilities to support them.”
While it might not seem worthwhile to hack a smart sprinkler system, vulnerabilities can allow access to an entire smart home network. In an interview with PYMNTS, smart sprinkler company Hydrawise’s Product Manager Anthony Long explained how the system functions while keeping its smart home network secure.
“Every Wi-Fi connection, every Bluetooth connection, every connection you make where you’re using some sort of over-the-air wireless connection is subject to hacking,” Long said.
As alluded to above, data security must be considered over a device’s lifetime. Outdated software is an often overlooked security flaw. Customers can find it inconvenient to make sure their software is consistently patched and updated.
And many don’t think the onus should be on the consumer. Both Tirozzi and Gillen noted that keeping software secure works best if the provider takes responsibility. All data transmission should be encrypted from the start, and manufacturers should handle regular software patches and updates.
The Corporate Perspective
According to a Microsoft study, decision-makers in enterprise organizations view IoT as profitable; they believe they will see a 30 percent ROI on their IoT projects going forward, and 88 percent think IoT is critical to business success.
This enthusiasm isn’t unbridled, however. Nearly all (97 percent) have concerns about security. The biggest concern among IoT adopters is creating strong user authentications (43 percent). Tracking and managing each IoT device and securing endpoints were also leading concerns, and equally important (38 percent apiece).
These concerns are not unfounded.
According to a study by Gemalto, over half (52 percent) of businesses are unable to detect if any of their IoT devices suffer a breach, and only 59 percent of companies encrypt all of their IoT-related data. Over one-third (34 percent) of companies said collecting large amounts of data is an obstacle to IoT security.
A study by Stanford University and Avast Software found that over one-third of homes worldwide contain at least one IoT device. Adoption is even stronger in North America, where that figure rises to two-thirds.
According to the Gemalto study, 62 percent of consumers said they believe the security of their IoT devices needs improvement, and a majority of consumers (54 percent) fear a lack of privacy.
A positive finding of the Stanford University and Avast Software study is that 90 percent of all devices globally are manufactured by just 100 vendors. This means fewer companies need to come to an agreement about security.
One common IoT security mistake is providing devices with default login credentials, which becomes a problem because fraudsters can compromise all of them by stealing just one device’s login.
That security gap may soon be a thing of the past, since California law SB327 will make preprogrammed default passwords illegal by 2020.