person taking a selfie in the lens of a security camera
PHOTO: Bernard Hermant

The internet of things era is underway. Smart, connected gadgets for the home are gaining traction among consumers. Industries are beginning to adopt IoT technologies. Use cases, such as self-monitoring refrigeration systems that can predict operational problems and proactively schedule maintenance, are popping up.

However, security concerns continue to threaten IoT’s progress. Report after report lists security as the No. 1 impediment to IoT adoption. A study by security company Gemalto, for example, found 90 percent of consumers lack confidence in the security of IoT devices. Nearly two-thirds of IT professionals surveyed by security vendor Pwnie Express said they had more misgivings about device threats in 2018 than they had the year before.

While adoption shows no signs of slowing down, the security threat is very real.

Upping the IoT Security Stakes

It seems inevitable that in 2019 IoT security will command more and more government attention. With Gartner predicting the number of connected things to reach 20.4 billion by the end of the decade, the attack surface is growing exponentially. Yet the public is largely unaware that connected devices can be used to attack other devices, and the industry hasn’t done enough to address device security. The combination makes it likely legislators and regulators in capitals around the world will feel it necessary to intervene.

Gartner has described what it calls “disturbing trends” in IoT, including that “product and service vendors are paying little attention to scenario- or vertical-specific requirements for IoT security” and “technical standards and frameworks for IoT security are almost nonexistent or beta editions.”

To date, however, companies have faced little concrete legal obligation to build stronger security into devices. It’s still common for devices to ship with hard-coded passwords or standard “admin” passwords that hackers can figure out and exploit too easily. Most consumers aren’t even aware of this vulnerability.

When a security exploit is discovered, updates are not always rolled out in a timely manner, and sometimes not at all.

Related Article: 7 Big Problems With the Internet of Things

Current Approaches Miss the Mark

The landscape is dotted with a few new laws and regulations, such as a California law requiring manufacturers of any devices that connect to the internet to include “reasonable” security features, including unique, user-set passwords for each device rather than generic default credentials that are easier for an intruder to discern.

Some security experts, however, have criticized the law as too weak. Well-known consultant Robert Graham wrote, “it’s based on the misconception of adding security features. It’s like dieting …. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add 'security features' but to remove ‘insecure features.’" 

That reaction shows there’s a lot more to be done. But it will be interesting to see just how aggressively governments push. Will they rely on stronger laws to force the industry to more effectively tackle IoT security? Or gentler approaches, like the United Kingdom’s government website that provides a voluntary code of practice?

Related Article: The Internet of Terrible Things

What Will it Take to Increase IoT Security?

Strong action may be required to get the industry’s attention. A major IoT security incident, of course, would add urgency to the situation, but to date there hasn’t been one that has attracted international attention in the same way as high-profile attacks on retailers, social media sites, government agencies and others in recent years.

In what’s considered an internet first, cyber attackers in September 2016 forced well-known security journalist Brian Krebs to take down his site, KrebsOnSecurity, after they hijacked hundreds of thousands of cameras and other internet-connected devices to overwhelm his site with traffic. The attack made international headlines, but it was more than two years ago. It could have been a tipping point for new regulation, but that didn’t happen.

The wheels of government often move slowly. However, the paradox of growing IoT adoption and heightening security concerns is creating pressure for governments to do more. The issue is almost certain to come to a head in 2019.

Related Article: The Insecurity of Things