Security, in some form or another, is typically found in every type of internet-enabled device, from data centres to servers, to desktops and laptops, and even on smartphones.
Children as young as in middle school are becoming aware of the concept of an antivirus and why it is necessary.
And yet, when it comes to IoT, aside from the odd company revealing widespread vulnerabilities, security is not, as they say, a thing.
At SecTor, Canada’s annual IT security conference taking place in Toronto this week, security vendor Tripwire was demoing various consumer-oriented IoT devices including smart locks, cameras, TVs and the Fitbit.
Craig Young, a cybersecurity researcher with the company, told CDN that the purpose is to both show what internet-enabled devices are capable of, as well as talk about what they’re missing.
“The state of security in IoT devices is what we saw on the web in the late 90’s, early 2000’s,” Young said. “People are putting out products with a focus on making something work and not on security. The result is products with blatant security holes. Many may not even have processes for updating the firmware for patching.”
The problem, he noted, isn’t just that the devices are vulnerable in and of themselves.
Rather, people need to understand the idea that as these devices come online and become connected to laptops, smartphones, and other machines thought to be secure, they put them at risk as well.
This is because any gadget that is compromised doesn’t just divulge whatever information is stored and (in the case of smart home devices) allow malicious control in a private setting. They can also be reconfigured for purposes such as botnets in spreading viruses or spam, carrying out DDoS attacks, and – according to Young – even mining bitcoins.
In other words, even if you aren’t planning on buying, using, selling, or provisioning IoT devices, their lack of security will likely affect you.
“We need to get people on board for evaluating the security on these products,” Young said, “It’s something we can’t ignore; it’s a security risk for everyone.”
While companies such as Google and Samsung may come to mind for their Nest and smartwatch products, industry is where IoT devices, such as smart sensors from companies including General Electric, are really taking off, Young said.
While Young said he hopes that devices in this space are more mature and are more security-focused, his company hasn’t had as much access to test their resilience.
What’s more, he also blamed businesses for being reluctant to allow their IoT environments to be tested.
Between the two markets, he said that industry is more focused on confidentiality, integrity and availability when it comes to smart sensors.
It is also less concerned with cost, the need for plug-and-play as opposed to thorough authentication, which can be barriers to security in the consumer space.
Nevertheless, he said, there are discussions about sharing intelligence to improve in this area.
There’s also a need to make security feel real in the IoT space, like it has become for other types of devices.
“When someone is going in to pick out their home automation system, they’re going to look at functionality – there’s no way of evaluating security protocols.” Young said. “With baby cameras, that’s the best instance where there’s something that’s very tangible there. Someone is able to move it, talkthrough it, something you can see, you can hear and be creeped out by. Seeing that somebody can walk up to your smart lock and unlock it, that should get people to demand better.”