The Internet of Things’ Persistent Security Problem
The Internet of Things (IoT) can conjure up a future where our cars drive themselves, our fridges restock on their own, and our yoga pants nudge us into proper posture. Where every object, connected to the Internet by sensor and software, has become a smart object; the physical and digital worlds intertwined and melded and indistinguishable.
Not just for consumers, but for major enterprises, too, IoT holds tremendous potential. Maersk, the world’s largest shipping company, uses sensors on its food containers that communicate via satellite to ensure temperatures are kept at the right level. Rather than relying on manual checks, ship workers can be instantly alerted to fix a temperature control problem, saving huge spoilage costs. There are also organizational, industrial, infrastructure, and military applications.
IoT buzz has waned since its peak five years ago, but the IoT market has barely cooled and neither have prognostications – the IoT market value is expected to grow from roughly USD$250-billion this year to more than USD$1.5 trillion in the next five years. McKinsey, a global consultancy, projects the worldwide number of IoT-connected devices to increase to 43 billion by 2023, an almost threefold increase from 2018.
Still, as IoT grows, serious questions continue to be asked about its security. Recent hacking developments in the United States and elsewhere have highlighted the vulnerabilities in our interconnected world, making IoT’s weaknesses all the more obvious.
The threat of ransomware
As more objects become smart objects, they risk incursion by third parties and each object represents a potential entrypoint to other objects on that network. In 2020, Wired reported on a research experiment where a software engineer reverse-engineered a coffee maker. After a week’s work, the researcher was able to hack into the machine, “turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.”
More unsettlingly, with more time and resources, the coffee maker attacker said he could have gotten into other devices on that network. Consider the consequences for a city that uses smart streetlight bulbs.
The real-world threats are becoming clear, especially as hacking and ransomware have come under the spotlight in the past year. In May, cyber criminals shut down a pipeline supplying oil to America’s east coast for five days and demanded USD$4.3 million dollars from the Colonial Pipeline Company, its owner, to release it. The Economist reports that such ransomware attacks are becoming more common.
IoT’s special vulnerabilities
IoT presents a particular weakness because of the billions of devices present a huge attack surface area and because of how vulnerable many of them are individually. The first issue is remote exposure: The devices’ connection to the Internet creates a magnitude of entrypoints into the system. Second, some devices lack the capacity and computing power to even operate sophisticated firewalls or antivirus software. Third, in the rush to digitization, many companies have prioritized efficiency over security design, exposing entire industries, such as automotive or healthcare, to reliance on insecure sensors and other devices.
There are plenty of technical solutions for improving IoT security, like using authentication certificates or secure encryption keys, many of which are similar to measures adopted by other connected devices, such as laptops or phones.
But there are also policy challenges in ensuring that consumers and larger systems are protected. Harvard computer science professor Jonathan Zittrain has proposed a “networked safety bond”, which could be cashed in if a company discontinues maintenance for a product or goes out of business. Such a system exists for coal mining, where insurers price bonds according to companies’ security practices. He also suggests that networked products be required to work as well as their analog counterparts even when they’re not connected to the Internet.
In what is currently a fragmented regulatory and standards landscape internationally, the EU has taken strongest interest in IoT, but from a competition perspective. The EU Commission is investigating competition questions related especially to the three dominant voice-assistants (Alexa, Google Assistant, Siri), a node for issues of data privacy and interoperability. Its recently released report hardly mentions security.
This year Google will stop supporting Clips, a device it stopped selling last year. It was an expensive (USD$229) and small camera, designed to capture the in-between moments of our digital lives. If your toddler was about to take her first steps, but your camera was not in your hand, Clips would capture a seven-second clip of it for you. It used AI to learn faces, so that it had a sense for when to operate. It got poor reviews and now lays on the trash heap of Google gadgets, but it was visionary at least in one security, if not privacy, aspect: it worked while it was offline. You just connected it to your phone to upload photos when you wanted. It was also the kind of device that would be eligible for Professor Zittrain’s “networked safety bonds.”
Abbosh, Omar and Kelly Bissell. “Securing the Digital Economy.” Accenture. 2019.
Austin, Greg. “SolarWinds attack underlines importance of US cyber-security upgrades.” International Institute for Strategic Studies. 17 February 2021.
Schaake, Marietje and Tyson Barker. “Democratic source Code for a New U.S.-EU Tech Alliance.” Lawfare. 24 November 2020.
Dahlqvist, Fredrik; Patel, Mark, et al. “Growing Opportunities in the Internet of Things.” McKinsey. 22 July 2019.
Eadicicco, Lisa. “Google Just Announced a Smart Camera That Takes Photos For You.” Time. 4 October 2017.
Fleishman, Hod. “It’s 2020. Let’s Stop Saying ‘IoT.’ (Part 1).” Forbes. 7 January 2020.
“Forecast end-user spending on IoT solutions worldwide from 2017 to 2025.” Statista. 22 January 2021.
Goodin, Dan. “When Coffee Machines Demand Ransom, You Know IoT is Screwed.” Wired. 10 January 2020.
Heising, Jim. “The Internet of Things is Dead. Long Live the API.” Medium. 9 July 2019.
Hollis, Duncan. “A Brief Primer on International Law and Cyberspace.” Carnegie Endowment for international Peace. 14 June 2021.
“Internet of Things Security is More Challenging Than Cybersecurity.” Wind River.
Irwin, Lucas. “One Thousand and One Talents: The Race for A.I. Dominance.” Just Security. 7 April 2021.
Newman, Lily Hay. “100 Million More IoT Devices Are Exposed—and They Won’t Be the Last.” Wired. 13 April 2021.
Peters, Jay. “Google Clips is Dead.” The Verge. 16 October 2019.
“Ransomware highlights the challenges and subtleties of cybersecurity.” The Economist. 19 June 2021.
Schwab, Katharine. “Is the Internet of Things Dead Or Is it Growing Up?” Fast Company. 2 December 2018.
Seifert, Dan. “Google Clips Review: A Smart Camera That Doesn’t Make the Grade.” The Verge. 27 February 2018.
Shea, Sharon. “IoT Security (internet of things security).” Tech Target. April 2021.
Southwell, Alexander and Terry Wong. “New Federal Law for IoT Cybersecurity Requires the Development of Standards and Guidelines Throughout 2021. Gibson & Dunn. 17 February 2021.
Willett, Marcus. “Lessons of the Solar winds Hack.” Survival. Vol 63 no 2. April – May 2021.
Zittrain, Jonathan. “The Internet of Things Moment: My Testimony Before the Senate Judiciary Committee.” Just Security. 15 June 2021.
Zittrain, Jonathan; Olsen, Matthew, and Bruce Schneier. “Don’t Panic: Making Progress on the ‘Going Dark’ Debate.” Berkman Centre for Internet and Society at Harvard University. 1 February 2016.