Is the consumerisation of IoT bad for business?
With IoT dominating this year’s CES, we look at the implications for business security
CES 2017 has now come to a close, yet in just a few days the technology roadmap for the entire year was laid out for all to see. Although we saw some impressive advancements in typical fields, like new TVs from Sony and Samsung or the genuinely impressive 2-in-1 Dell XPS 13, it was the new surge of IoT and connected devices that captured the imagination of this years attendees.
We were invited to imagine a connected world where you wake up in the morning on a bed that automatically adjusted to your shape during the night, your partner's head slightly raised because the bed noticed they were snoring. A coffee maker sits on the kitchen bench, ready with that caffeine fix just the way you like it. The smart toaster has your breakfast on the go, as your smart hairbrush berates your brushing technique while you get ready for work. Before you leave the house, you grab your anti-pollution smart scarf and yell at your AI driven vacuum cleaner to get to work.
CES showed us there is a device to make almost every part of our lives 'smarter', and undeniably these products have the potential to make a positive impact on daily life. But as we invite an increasing number of connected devices into our home, we could be creating more and more doors to our personal data, in areas they could never have existed previously.
The harsh reality is that for these devices to work, a degree of personal data must be handed over. For example, to be able to use the Sleep Number 360 bed developed by Simba, you are required to use a mobile app which runs using a personal profile a profile that holds your name, email address and any other data you decide to provide. Soon a date of birth could be required just to have a good night's sleep.
If 2016 has taught us anything, it is that there are no guarantees your data will be safe. Yahoo, Talk Talk, LinkedIn, Tesco Bank, and Dailymotion are just some of the recent hacks that collectively led to the loss of billions of user details. But with the idyllic example hinted at by CES 2017, the sheer volume of personal data collectively locked away could be huge, all contained within worryingly insecure smart devices.
Aside from the problems of data theft, the relentless pursuit of a 'connected everything' facilitated a surge in the number of distributed denial of service (DDoS) attacks against businesses in 2016. IoT security is still substantially lacking, and thanks to a general use of default login credentials and a lack of knowledge or responsibility on the part of the user, hackers have been able to exploit the collective bandwidth of IoT devices to create massive armies of botnets, capable of bombarding single targets with cripplingly high volumes of traffic. DDoS attacks like these are worryingly simple, as they don't require a network breach; instead, they use code and credentials that are openly available online.
As the number of IoT devices increases in our homes, the bigger the gold mine gets. In 2016 we saw the deployment of the Mirai botnet, resulting in a coordinated assault on Dyn servers and a massive internet outage affecting the likes of Netflix, Reddit, and Twitter. These attacks were some of the largest in industry history and they are only set to increase as domestic IoT devices become more popular. Unfortunately, users won't necessarily know if their device is part of a zombie army of infected drones. Unlike PCs, which often slow down or crash when infected, IoT devices are designed to run without human interaction and performance is generally consistent despite the presence of malware.
There are clear differences between the priorities of businesses and the everyday consumer and this, according to Aapo Markkanen, principal analyst at Machina Research, is fully exploited by the consumer tech industry.
"In enterprise space, especially in the industrial IoT, the benefits of investing in security and taking it seriously are fairly tangible for suppliers," says Markkanen.
"On the consumer side, the outlook is very different: the customers don't see security a high priority, so the product makers and their suppliers can afford to cut corners," he adds.
Many of the security issues facing the IoT industry today are not of a technical nature, argues Markkanen, but simply an inadequate approach to development.
"If you take the high-profile DDoS cases we witnessed last year, then they are not because the hacked products were missing some magic component that would have made them safe," says Markkanen. "Sometimes it's all because the IoT developers just don't 'get' security... it's simply a cynical gold rush play to get products to the market as cheap as possible, as fast as possible."
According to research from analyst firm Forrester, more than 500,000 IoT deviceswill suffer a hack in 2017, exploiting open source components that are rushed to the market without adequate security precautions embedded in their firmware, or plans to deliver future updates.
Some companies in the consumer market see security as a barrier, because it slows down production and leads to added costs for the developer, chiefly in the form of hiring pricey security professionals, and it can therefore be overlooked.
Hackers can then take advantage of the complacency in this market, meaning businesses will suffer from relatively simple attacks powered by the consumer IoT at least until some oversight is put in place.
Thankfully, efforts are now being made to try and conquer the Wild West that has been the IoT landscape over recent years. The Norton Core, developed by Symantec, is an example of a router built from the ground up with IoT in mind, capable of monitoring traffic for unusual activity and able to alert the user of suspected bot hijacks.
But the fact that web security firms are developing these products highlights the inadequacy of standard broadband routers to handle the security issues facing today's IoT connected homes and businesses. Over the past two years, the US Federal Trade Commission has filed lawsuits against Taiwanese firms Asus and D-Link for failing to adequately protect routers and security cameras from intrusion. These complaints are the latest brought by the commission as part of a campaign to improve practices in the development of connected devices. Asus has since agreed to regular independent security audits for the next 20 years.
The thinking around IoT will need to change in the coming years, particularly as we begin to see the effects of the planned obsolescence of connected technology. Perhaps uniquely, connected smart devices will continue to serve a purpose as a useful power source for botnets, as these products typically have a limited lifespan in terms of manufacturer support. How manufacturers continue to ensure older products are secured against newer and more sophisticated attacks is a problem that will likely need to be resolved through some form of statutory regulation.
"There is no single silver bullet to mitigate the long-term DDoS threat that the growth in IoT devices poses to the internet-based economy," says Markkanen.
"Companies with anything at stake in the IoT need to come together and find the right avenues to advocate better developer practices. Given that there is a strong public, and national-security interest in the issue, it would be wise for the industry to move proactively and come up with concrete proposals that will help set the right incentives for developers," adds Markkanen.
There is little doubt that, as most years, many of the products on display at CES 2017 were concept pieces a chance for developers to show off some creativity with current technology, rather than devices that will go into production. But what is clear is that the 'connected everything' is growing, and reliance on current security and privacy standards is not enough to ensure devices are safe to use for both consumers and businesses in 2017 and beyond.