What is the IoT?
The Internet of Things (IoT) consists of connected devices that communicate and gather and share data over the internet. For example your computer, smartphone, security cameras, baby monitor and your smart thermostat. But also in industry and healthcare, IoT applications are commonly used to monitor and maintain equipment, among other things.
What are the risks of the IoT?
Attackers can exploit the fact that many IoT devices are not configured properly and are therefore insufficiently secure. This was what enabled hackers to gain access to the database of a casino via a smart thermometer in an aquarium. It is also how the locations of Dutch children became traceable due to a leak in a smart watch for children. Sometimes it is not even hackers – IoT devices may share users' information unprompted, such as the smart assistant Alexa. All these things can result in personal data becoming publicly available, which has serious implications for consumers' privacy and companies' liability.
Why are there many insecure IoT products?
Why is it that there are so many IoT-products on the market of which the security is not in order? Investing in security is simply not an attractive business proposition for manufacturers, because consumers will not pay more for a product that claims to be secure – they take security for granted. Moreover, suppliers have a strong interest in getting these products to market as quickly as possible. Aspects that do not directly affect the operation of the device, such as security, are easily overlooked during development.
On the other hand, consumers often do not have the information they need to make an informed decision that also takes security into the equation. On top of that, price is an important factor in purchase decisions. It doesn't help that the market is flooded with cheap devices from low-wage countries. All these things result in IoT-products with vulnerabilities.
What are the causes of IoT vulnerabilities?
In practice, the following things contribute most to IoT vulnerabilities:
- The absence of a (simple) update mechanism, meaning that there is little if any possibility of resolving security problems in products already sold.
- Insecure default configurations, which place the responsibility for security with the user. For example, weak default passwords, making management interfaces available on public networks as standard, etc.
- Insufficient understanding of security among developers. Many of the lessons that were learned long ago in 'regular' software engineering need to be learned again by IoT software developers.
- The absence of/poorly implemented cryptography. This is often the result of the limited processing power of the hardware used, which means standard solutions cannot be employed.
How can the IoT be made more secure?
In order to make IoT products more secure, the focus in development and maintenance needs to be on quality, not merely on security. Because by focusing on quality, you improve not only the security, but also the performance, reliability and durability of IoT applications. Up to a point, the relationship works both ways: a product with very poor (software) quality cannot be properly secured, while a high-quality (software) product is easy to secure – in fact, further security may not even be necessary.
Furthermore, a secure IoT is a matter of hardware and software and an ecosystem. After being sold, a product requires maintenance and support. IoT devices typically have a longer life than laptops and phones, for example. Throughout the life of the device, it will periodically require maintenance to fix security problems that have become known.