Free Shipping on orders $35+ within the continental US

[Part 1/4] IoT Essential Truths: Privacy and Security Must be a Top Priority

Executive Summary

Think twice before you’re fooled by sleek design. You may get a lot more than you bargained for because of a lack of IoT security on your latest device.

  • One IoT device infected with malware or designed with poor security can do everything from leak confidential files to endanger a life.
  • When producing an IoT device, you must prioritize privacy and security over profit and design if you want your customers to keep coming back.
  • It’s time to take a second look at the security of your IoT devices (or lack thereof). Ensure they have sufficient privacy measures built in, and that you’re taking advantage of them.

 

— Part 1 / 4 —

Time for some tough love. No matter how cool your IoT (Internet of Things) device or service is, if you’re not willing to make guaranteeing privacy and security your top priority, you don’t deserve to be in the field.

But isn’t that putting the cart before the horse? Shouldn’t you concentrate on creating your neat device first, then bolt on some privacy and security protections? That’s what I heard while speaking at a conference on wearables several years ago.

When asked about their privacy and security protections, the bright-eyed duo who were presenting begged off: “We’re just a startup—we’ll get to the privacy and security when we have a workable prototype.” Nope. You don’t have that luxury.

Consumer and Corporate Confidence Is Hard to Win and Easy to Lose

Here’s why.

Back in the eighties, I was a corporate crisis consultant, called in to rebuild public confidence after major companies had done something really dumb. Customers’ loss of confidence usually manifested itself as fear. The engineers with whom I’d work were usually dismissive of these fears, because they weren’t fact-based, and I had to patiently explain that just because they weren’t factual didn’t mean they weren’t very real in the customers’ minds—and that those customers wouldn’t be coming back soon.

That’s even more the case with the IoT. Whether it’s dealing with consumers or corporate customers, the kinds of real-time data that the IoT is gathering, from personal medical conditions to assembly-line operations, is crucial to them. Let a bad guy get hold of it due to lax privacy or security protections, and not only will your IoT product or service be cooked, but the public and business customers alike may paint the Internet of Things with a broad brush and say “no thanks.”

 

INFAMOUS IOT SECURITY BREACHES

I’m not talking hypotheticals here. There have already been several high-profile breeches of IoT security that have gotten a lot of media coverage.

  • ILLINOIS: One was staged by a willing Wired reporter and two whitehat hackers, who tunneled into his Jeep’s entertainment system. (This underscores, by the way…that individual IoT devices become more valuable and versatile when they are linked. Hackers can reach the most critical system, in this case the car’s drivetrain, through another device.) They then proceeded to take over the controls, ultimately killing the engine while he was driving sixty miles per hour on an interstate.
  • TEXAS: Or, frightening to any parent, several years ago a Houston couple heard a loud voice coming from their two-year-old’s bedroom. When the father entered the room, he heard a man with an Eastern European accent making lewd remarks over his daughter’s baby monitor. The father had taken precautions by putting a password on the monitor, but the manufacturer had taken shortcuts with the device’s security provisions, which ironically touted that it could be remotely monitored from anywhere in the world.
  • NEW HAMPSHIRE: Most frightening of all, was an October 2016 distributed denial of service (DDoS) attack on a New Hampshire-based hosting firm. It temporarily made large portions of the internet unavailable in the U.S. and Europe. The hackers used the “Mirai” malware to infect a wide range of cheap IoT devices, including printers, IP cameras, and baby monitors that had few protections (i.e., passwords such as “admin”) or none at all. Can you imagine if a similar attack was launched again today, only this time taking over billions of IoT devices as the IoT multiplies?

These and other IoT privacy and security incidents illustrate that the very principle that makes the IoT so versatile and powerful, the fact that a variety of devices can be linked, means that an attack on one of the devices can potentially affect all of them. That’s an argument for not just making privacy and security the highest priority with your own devices, but also for joining in collaborative efforts to reduce risk, as will be detailed later in this chapter.

SHODAN (THE WORLD’S SCARIEST SEARCH ENGINE)

The extent of the IoT’s vulnerability is demonstrated by Shodan, which bills itself as “the search engine for the Internet of Things.” Some have called it “the scariest search engine on the Internet.”

Shodan utilizes a variety of filters to query IP addresses (remember that IP addresses for almost every “thing” is a key tool for the IoT) for a whole range of devices, from routers to webcams.

According to Dan Tentler, a security researcher who has spent several years investigating webcam security, Shodun’s feed includes images of everything from marijuana plantations, to back rooms of banks, to college campuses, to the insides of homes and retail stores.

Visitors to the site can query keywords to find the indexed devices and, sometimes, information such as default passwords.

CONSIDER THE CONSEQUENCES

It can’t be stressed enough: DDoS attacks based on infecting IoT devices such as these with malware have potential impacts far beyond the individual users.

If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices.

Worse, such a quantity of insecure devices makes the internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes?

SECURITY BY DESIGN

Another IoT Essential Truth to be discussed later in this chapter [The Future is Smart] is “close the loop,” instead of using traditional linear processes. The privacy and security issue forces us to deal with that concept here as well. No matter how elegant your privacy and security measures are today, you simply can’t rest: the process must be iterative and never-ending, because the threat from hackers is constantly changing. There’s a growing consensus in both IoT companies and government regulators that what’s needed is “security by design.”

Security needs to be an integral part of the device’s design from the beginning, followed by an iterative process to make sure it still works as challenges evolve.

PRIVACY AND DATA PROTECTION BY DESIGN

The EU recognizes privacy as a fundamental human right, so Europe is much further along on this concept than the U.S. is.

The EU has created an excellent overview, Privacy and Data Protection by Design—from Policy to Engineering, which is perhaps the best place to begin to develop security by design strategies. In it, the authors first give a stark assessment of current privacy and security protections (or lack thereof) in IoT products and services:

“We observed that privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality. This ignorance is caused and supported by limitations of awareness and understanding of developers and data controllers as well as lacking tools to realize privacy by design.”

The report goes on to:

  • Argue for integrating technical solutions.
  • Address organizational procedures and business models so that privacy and security and technology will reinforce each other rather than be at loggerheads.
  • Tell legislators and regulators that they must play an active role, so that any regulations or standards don’t limit future innovation.
  • Give an overview of what are lumped under the term “Privacy-Enhancing Technologies” (PETs), such as encryption, protocols for anonymous communications, attribute-based credentials, and private search of databases.
  • Link these tools and overall design strategies to a company’s legal obligations to protect privacy to design strategies so developers can easily choose technologies that will meet the requirements.
  • Caution developers about the approach’s current limits—both inherent limits and those due to the current early stages of strategies and technologies.
  • Offer recommendations on how to overcome and mitigate those limits…

Ensuring IoT privacy and security will only become more important—and risky—as IoT devices and services become more ubiquitous in the next few years. You will need to make it a central consideration in everything you do on the IoT. In addition, you will need to go beyond your own policies to also become active in collaborative IoT industry privacy and security initiatives, such as the IoT Security Foundation and BuildItSecure.ly.

The collaborative nature of the IoT requires equally collaborative privacy and security approaches and because a scandal involving any company in the field threatens public confidence in the concept in general. It will also be necessary for companies to work with government agencies to craft regulations that will, on one hand, root out the bad actors who jeopardize everyone’s credibility and, on the other, avoid the kind of prescriptive government regulations that would inhibit IoT innovation.

It remains to be seen what the Trump administration may do in this area, but the FTC during the Obama administration launched an admirable collaborative regulatory development process with the industry.

Adapted with permission from The Future is Smart: How Your Company Can Capitalize on the Internet of Things--and Win in a Connected Economy by W. David Stephenson, copyright W. David Stephenson.

TO READ NEXT:

IoT Essential Truth #2: Share Data, Don’t Hoard It

Bring It Home

It’s hard not to love the functionality and the automation that technology brings. But, in addition to all of its handy features designed to make your life easier, your IoT device could be packed with potential security and privacy threats.

Imagine handing over your smart phone, the lock on your front door, or even the very technology in your car over to a hacker. You’d never do that! But what if, thanks to poor IoT security, you already have?

Instead of leaving yourself vulnerable to privacy or security threats, it’s time to take inventory of your IoT devices and the security measures they provide. Comment below with one way you can protect yourself when it comes to your IoT devices. ~ HarperCollins Leadership Essentials

W. David Stephenson

W. David Stephenson develops strategies and theories around the Internet of Things, Enterprise and E-Gov 2.-3.0, data, homeland security and crisis management. Stephenson empowers the public with tools like personal communication devices and Web 2.0 social media to engage with private sector companies and organizations.

Want to read more? Get the book!

Sold out

Related Posts

Leave a comment

Name .
.
Message .

Please note, comments must be approved before they are published