Last year, hackers demonstrated to us how the IoT, when unsecured, can be used to hack a Jeep remotely while it’s in the middle of a highway. A scary scenario. It served as a wake-up call for many in the automotive industry, especially those at Jeep who promptly issued a patch for the vulnerability.
Since then, the company behind the Jeep hack, IOActive, has come out with a survey claiming that nine out of every 10 IoT devices on the market today have not been designed with adequate security. These figures are concerning and should serve as a reminder to everyone how we must strengthen our commitment to IoT security. Below, we list out the three key lessons we must learn about IoT security practice and policy.
1. Security must be the number one priority for IoT. The potential of the IoT is seemingly unlimited – new innovations are being made every day. This is brilliant for the IoT market as a whole; however, security thinking must be properly integrated into the innovation process.
Currently, many IoT developers choose (understandably) to work in an agile manner, in an off-network sandbox which enables them to experiment and innovate more rapidly. In this environment, security is often an afterthought, and is not implemented until the later stages.
It’s important we recognize that secure products need to be built with security in mind from the ground up – security solutions shouldn’t just be added on at the end of the process. Instead, securing the device should be the first pillar.
2. The onus of responsibility should be with manufacturers/developers, not with end users. Some companies have resorted to including disclaimers with their products to ensure they’re not held liable for any security exploits.
This sets a dangerous precedent; one that passes on the responsibility to end users. Of course, end users should be encouraged to be responsible and take all the care they can… but this can’t relieve the manufacturers of responsibility. If IOActive’s figure of nine out of 10 devices being vulnerable is accurate, we can’t expect end users to be bridging the gap.
3. We need to keep driving IoT security innovation. The IoT, on many levels, is about discovering new ways of doing things. This means new form factors that we haven’t used before – this could also mean new attack vectors for hackers. For example, USB or OTA software updates for vehicles provides a new attack vector for criminals – we need to ensure we find ways to secure against these possibilities.
In short, we’ll need innovative solutions to protect against new opportunities for exploitation.
In addition, the second annual IoT/M2M Innovation World Cup Security Award brings forward the importance of building trust into the IoT.
Once a greater trust is established, the opportunity for businesses to Connect, Secure, and Monetize the IoT will be better than ever.
Filed Under: M2M (machine to machine)