Six years ago, for the first time, the number of “things” connected to the Internet surpassed the number of people, yet we are still at the beginning of this technology trend. Experts estimate that, as of this year, there will be 25 bn connected devices, and the number would touch 50 bn by 2020. 3.5 bn sensors are already in the marketplace, and some experts expect that number to increase to trillions within the next decade. All of these connected machines mean much more data will be generated globally. It is expected that by 2018, mobile data traffic will exceed fifteen exabytes.
Note: An exabyte of storage could contain 50,000 years’ worth of DVD-quality video.
However, despite the innumerable and important benefits, the increased connectivity between devices and the Internet may create a number of security and privacy risks.
IoT devices may present a variety of potential security risks that could be exploited to harm consumers by:
(1) Enabling unauthorized access and misuse of personal information
(2) Facilitating attacks on other systems
(3) Creating safety risks
Although these risks exist with traditional computers and computer networks, they are heightened in the IoT environment.
First, on IoT devices, such as desktops or laptop computers, a lack of security can enable intruders to access and misuse personal information collected and transmitted to or from the device. For example, new smart televisions enable consumers to surf the Internet, make purchases, and share photos, similar to a laptop or desktop computer. If smart televisions or other devices store sensitive financial account information, passwords, and other types of information, unauthorized persons could exploit vulnerabilities to facilitate identity theft or fraud. Thus, as consumers install more smart devices in their homes, they may increase the number of vulnerabilities an intruder could use to compromise personal information.
Second, security vulnerabilities in a particular device may facilitate attacks on the consumer’s network to which it is connected, or enable attacks on other systems.
Third, unauthorized users might exploit security vulnerabilities to create risks to physical safety in some cases. Unauthorized access to Internet-connected cameras or baby monitors also raises potential physical safety concerns. Likewise, unauthorized access to data collected by fitness and other devices that track consumer’s location over time could endanger the physical safety of consumers.
These potential risks are only exacerbated by the fact that securing connected IoT devices may be more challenging than securing a home computer, for two main reasons:
- First, companies entering the IoT market may not have experience in dealing with security issues.
- Second, although some IoT devices are highly sophisticated, many others may be inexpensive and essentially disposable. In those cases, if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch, leaving consumers with unsupported or vulnerable devices shortly after purchase.
In addition to risks to security, privacy risks flowing from the IoTs involve the direct collection of sensitive personal information, such as precise geolocation, financial account numbers, or health information – risks already presented by traditional Internet and mobile commerce. Others arise from the collection of personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer it.
The sheer volume of data that even a small number of devices can generate is stunning: 10,000 households using an IoT home automation product can “generate 150 million discrete data points a day or approximately one data point every six seconds for each household. Such a massive volume of granular data allows those with access to the data to perform analyses that would not be possible with less rich data sets.
Yet another privacy risk is that a manufacturer or an intruder could “eavesdrop” remotely, intruding into an otherwise private space. Companies are already examining how IoT data can provide a window into the previously private home. Indeed, by intercepting and analyzing unencrypted data transmitted from a smart meter device, researchers in Germany were able to determine what television show an individual was watching. Security vulnerabilities in camera-equipped devices have also raised the specter of spying in the home.
Finally, risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential and may result in less widespread adoption. Promoting privacy and data protection principles remains paramount to ensure societal acceptance of IoT services.
What constitutes reasonable security?
There appears to be a widespread agreement that companies developing IoT products should implement reasonable security. Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and the costs of remedying the security vulnerabilities.
First, companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:
(1) Conducting a privacy or security risk assessment
(2) Minimizing the data they collect and retain
(3) Testing their security measures before launching their products
Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.
Third, companies should retain service providers who can maintain reasonable security and provide reasonable oversight for these service providers.
Fourth, when companies identify significant risks within their systems, they should implement a defense-in depth approach, in which they consider implementing security measures at several levels.
Fifth, companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
Business-critical data, once in wrong hands, may prove very harmful for the image of organizations in terms of finances, image, PR, and the loss of a lot of efforts. On the personal front, any sensitive, highly personal detail may result in illegal activities as blackmails. If implemented properly, cybersecurity in the world of IoT can prove to be a boon by helping securely cover the multiple loopholes that still need to be considered and taken care of.