When it comes to the greatest inventions of the 20th century, many things come to mind. From aeroplanes to automobiles and vaccines to televisions, a host of 20th-century inventions have touched human lives and changed them for the better. The microchip was also among the most significant inventions of the last 100 years.
The ongoing technological revolution owes many of its successes and milestones to the microchip, including the IoT. The conceptualisation of the Internet of Things (IoT) was also not possible without the progression of the microchip. Experts believe that IoT is the future of the human race. In the broadest sense, the term IoT encompasses everything connected to the internet, but it is increasingly being used to define objects that “talk” to each other. In the words of Matthew Evans, the IoT programme head at techUK, “Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together”.
As the transition to an era of IoT and connected devices has already begun, many tech experts and users have started showing concerns about the potential privacy and security issues stemming from it. In this article, we will talk about those challenges and also try to cover the possible solutions.
IoT in Numbers
Before we delve into the discussion of privacy and security issues, it is imperative to look at how fast the age of IoT is approaching us. For instance, every second, approximately 120 new devices become part of the IoT world. It has also been estimated that more than 60% of all new consumer electronic appliances will become part of the IoT by the end of the year.
Forecasts also suggest that the number of connected devices in smart homes (automated homes where lighting, appliances and other elements are controlled through intuitive sensors and controls) will cross the mark of 12 billion this year. Moreover, many countries have planned to develop one or more smart cities in the next 5-10 years. The “smart” aspect of these cities will only materialise with a humongous network of connected devices.
All these statistics indicate that the expedition to the IoT future is not going to rollback. Since we are in the middle of this transition, we must be aware of all the privacy and security challenges that the world of connected devices poses.
Privacy and Security Challenges of IoT and Connected Devices
When it comes to the internet and, by extension, IoT, privacy challenges and security measures go hand in hand. However, we will try to discuss them separately to make things clearer.
Difficulty in Data Management
Data is the bundle of valuable information about a person or an entity and considered the currency in the digital world, and, hence, most cybercriminals are after it. The majority of malware, phishing, and ransomware attacks are essentially about stealing the data. In terms of data, the prevalence of IoT is going to provide another lucrative avenue for criminals to exploit. It is pretty easy to understand that a network of intuitively working connected devices will harness a lot of data. For instance, all the inputs, feedbacks, and outputs pertaining to any IoT device are essentially data sets.
A report by the Federal Trade Commission USA indicates that a network of connected devices for a couple of neighbourhoods (even less than 10,000 households) can create over 150 million discrete data points daily. Since these data points are not guarded like the ones used for banking and other internet use, it offers criminals more gateways to penetrate and exploit the network and its users.
In short, the privacy breach of an IoT environment could be easy and far more consequential.
Eavesdropping Is Too Easy
When there is a lot of data transmission all the time and via various devices, it just becomes easy for hackers to eavesdrop on it and exploit it for malicious use. Not just hackers, companies providing IoT systems can also do that. Users are already raising their concerns about how Amazon’s Alexa and Google Home furtively collect their data in the name of better user experience.
IoT device manufacturers and service providers can easily snoop on users and find out everything about their lifestyle. For instance, a company providing IoT support to a smart home can find out many things about its occupants—their favourite TV shows, music, when they like to go out, and what their favourite restaurants to dine out are.
Such under-the-radar surveillance is intrusive. It can also further strengthen the trend where businesses buy personal data for profiling their potential customers and targeting them for their advertising campaigns.
Ill-Conceived Privacy Policies
For example, the manufacturer of your smart car will have control of all the data the vehicle will generate during driving. They can share this data with your insurance company when it has to appraise your policy and premium. Similarly, health insurance companies can exploit the data harnessed by your smart fitness device.
It is important to mention here that this use of your private data will be carried out under complete legal cover and with your consent, but you can’t do much about it.
A Compound Effect
All these privacy issues with IoT devices can collectively create a very negative perception of connected devices for users. People even remotely conscious of their privacy should think many times before committing to use IoT devices.
As mentioned earlier, most of IoT security challenges are entangled with privacy challenges. However, there are some particular security issues we have to discuss. Some surveys and studies point to the fact that IoT has to win over users by addressing the security challenges. One survey from a company offering smart home installations indicates that over 40% of people are very concerned regarding the possibility of their information getting stolen from a smart home.
Another survey has been conducted among 5,000 companies all over the world. More than 80% of them have plans to put IoT environment in place. However, only 10% of those 5,000 enterprises are sure that they can protect their connected devices against the malevolent activity of hackers and cybercriminals.
Inadequate Testing and Upgrading
Every second 126 devices are getting connected to the realm of IoT. Right now, around 25 billion IoT devices are functioning worldwide, and this number will rise to 60 billion in the next five years. This huge influx of devices into the IoT environment is coming at a cost, which is inadequate testing and upgrading.
Manufacturers and developers are in a race to produce more devices. This focus on quantity has made the quality suffer. For instance, many IoT devices don’t undergo sufficient security testing. Then, makers seldom launch any software upgrade for them. This negligence on testing and updating front is leaving devices vulnerable to hackers, especially against zero-day vulnerability.
- Some of the IoT software are open source and are not robustly tested. They are available for anyone to use and explore, including predators.
- The user interface of some of the smart devices is too small to navigate. This makes it difficult for default settings to be changed.
- Using unpatched and outdated operating systems and software in the devices
It is important to mention here that the UK government recently passed legislation to put the onus on manufacturers to ensure that their products update automatically. This surely addresses many testing, upgrading, and design issues.
The Threat of Brute-Force Attacks
The concept of password protection for IoT devices hasn’t matured yet. Manufacturers are not emphasising on the need to change the tinpot default credentials. Users also couldn’t care less about changing the password of a device that is not directly connected to their bank account or social media.
This collective irresponsibility will make it easy for attackers to make the most of brute-force password cracking. Brute-force password cracking is a technique where hackers attempt to rightly guess a password by using hundreds and thousands of combinations. Many users tend to put simple passwords on their IoT devices that are short and easy to remember. A complex brute-force technique can easily break such 4-5 character long passwords.
Virtual and Actual Home Break-Ins
A smart home is one of the most promising prospects of the world of connected devices. However, the relevant security concerns are also the scariest ones. A home where each of its fixtures can work on its own and coordinate with other devices over the internet without needing constant supervision from homeowners can also be vulnerable to cyber attacks, making the home vulnerable to attacks in more ways than one.
The IP details and geo-coordinates embedded in the data points generated by a smart home can tell criminals the exact location of the house. The other data points from the smart home can help criminals in reconnoitring it from attempting a real break-in.
Similarly, hackers can carry out a virtual robbery in any compromised smart home as well. They can easily hack vulnerable connected devices such as baby monitors or smart kettles and computer devices and steal sensitive data from them.
More Deadly Ransomware Attacks
Right now, a regular ransomware attack could lock out victims from their computing device or network through codes that change the victims’ information into encrypted data. In an IoT environment, you have more such devices that are vulnerable to the shenanigans of ransomware perpetrators. For instance, ransomware may lock out a user from their smart car, and the attackers may ask for a ransom (sometimes bitcoins) to give that control back.
Similarly, attackers can hijack and malfunction a range of IoT fixtures (lights, gates, windows, etc.) with malicious code infiltration for a ransom.
Solution for Privacy and Security Challenges
Since the IoT is still in its nascent phase, although rapidly growing exponentially, we are gradually finding out about its weak links and pain points. One can’t establish a definitive solution roadmap for its challenges as of yet. Then, data privacy is something that has a lot to do with legislations and state-level policies as well.
Nonetheless, policymakers, manufacturers and users can work together to address many of those issues to an extent. Let’s take a quick look at some of these solutions.
Develop a Back-End Security System
As with a regular computer network and server, there should be robust back-end security for connected devices as well. An IoT environment should also be protected with endpoint security features like firewalls, anti-malware, and intrusion prevention protocols. To have a back-end security system, users also need to have a proactive approach. Improve network monitoring to identify vulnerabilities in IoT devices and help minimise the consequences of potential cyberattacks.
Organisations could work with IT security experts to improve the security of their existing IoT setup.
Improve Authentication Protocols
Besides setting long, complex, and strong passwords, adding more layers to user authentication on an IoT device will surely help. We have seen how two-factor authentication has helped in cutting down the cases of hacked email and banking accounts. It can also boost the security of a network of connected devices. Digital certificates and biometrics are the two elements that can help in implementing effective multi-factor authentication for IoT devices.
Implement Data Encryption Protocols
Data eavesdropping of the IoT network is not just a breach of privacy; it can also create serious security issues. One way to curb this issue is extensive data encryption. All the static and in-transit data on any IoT network must be end-to-end (E2E) Data transmission with E2E encryption might make people more comfortable in embracing the IoT.
Extensive Hardware and Software Testing
The rush to get new devices into the market is not allowing the required hardware and software testing. Manufacturers have to test every device for its range, latency, capacity, and other KPIs several times until the device reaches a certain consistency in various working environments. UK government has rolled out a roadmap for manufacturers that will help them with the quality assurance of their devices. Moreover, if they are using third-party components in their IoT devices, they need to get them tested by an independent contractor. They need to carry out red vs blue team cyber security testing of the device’s software in which one team will pretend to be attackers and the other team will try to thwart their attacks. Also, they need to be diligent about the security device once it reaches the end-consumer. For instance, they must have a response in place for a potential zero-day attack on their devices.
Well-thought-out data and privacy policies by governments, uncompromised development and manufacturing standards by IoT manufacturers and a proactive approach by users can collectively address the privacy and security challenges associated with connected devices. Cyber security experts can also play a key role in improving the security awareness of IoT at the user end.
Please contact us if you are contemplating having an IoT environment at home or work. We can create an entire cyber security plan for the network of your connected devices. We can also train your employees on IoT security.