How do you know you can trust your IoT device?
It is commonly understood and accepted that no one is safe on the internet from hacking, phishing and other malicious actions, but users of computing devices wired to transfer data over global IoT network are especially at risk. Although these intelligent devices add convenience daily and help us track a myriad of processes and information, the point is to remember it’s not if a cyberattack will compromise them, but when. How prepared the user or organization is to survive the strike is critical.
Connected devices such as voice-enabled intelligent virtual assistants, smart watches, alarm systems and automatic locks are becoming ubiquitous and a way of life. This trajectory is not going to level off; it will only be driven upward by the explosive growth in devices.
Extreme growth in IoT devices
Estimates for the accelerating count of connected devices in use vary, but they number is in the billions. For example, there will be around 29 billion connected devices by 2022 and about 18 billion will be related to IoT, according to Ericsson. Furthermore, declining device costs, new applications, standardization, evolving LTE functionality and 5G capabilities are all likely to extend the range of critical IoT deployments.
IT pros know they should install antivirus software on their computers and be careful of what websites they visit or software they download. Consumers might not know to consider IoT devices to be a security threat. IoT devices make their lives more integrated, but many companies behind these devices might not design them with security in mind, according to the Center for Internet Security (CIS).
For example, many IoT devices have widely used default passwords that cannot be changed easily, or at all. IoT devices can also be difficult or impossible to update to mitigate known vulnerabilities, or lack settings to customize security, according to CIS.
People’s dependence on connected devices has grown faster than the means and awareness to secure them, according to CIS. Leaving IoT devices unsecured is akin to leaving the back door to your house unlocked. It gives attackers access to personal information and the opportunity to compromise any device on a network. It also hands cyberattackers the means to spread their attacks to others by using insecure consumer devices.
Consumers might not understand what they need to do to ensure the security of a device. Furthermore, they might not understand what to look for in a product when selecting a device. Essentially, consumers don’t know what they can trust and what they can’t.
Manufacturers should actively create trust, making consumers feel secure and safe to use their products; whether hardware or software. Cyber certification programs for manufacturers can help IoT organizations do this.
Universal mark of trust for IoT devices
For years, companies have offered a seal of trust ensuring the safety, accuracy and applicability of their products, including IoT devices. For example, BSI offers the Kitemark seal of trust. Companies that invest in measures to make connected devices safer to use can ensure their devices function and communicate as they should, and have the appropriate security controls in place.
Products should pass both a functionality and interoperability assessment, and must be able to give assurance that the product is resilient and will function safely and securely throughout its intended life. Products should also undergo regular monitoring and assessment testing, and an audit to review any necessary remedial action. If security levels and product quality are not maintained, companies risk losing the trust of their consumers.
A series of one-off tests for a connected device don’t really assure much when a consumer is looking for a device to perform securely for years to come in their home. Companies that undergo periodic independent testing and monitoring of their IoT products throughout their shelf life demonstrate to customers their commitment to safeguarding their information.
New industry standards
It is also important for consumers to go beyond the industry standard and conduct additional checks, such as assuring that the device does what it’s intended to, which can’t be taken for granted. For example, does a connected lock really perform effectively as a lock?
While no certification can ever guarantee 100% security, it’s critical to ensure an internet-connected device has the appropriate security controls in place for the information it is handling. In this rapidly changing world of technology in which many claims are made about the cybersecurity of products, companies and consumers must both be held accountable for IoT device security.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.