As connected devices permeate homes and offices worldwide, consumers and enterprises tend to overlook the serious digital and physical damage that cybersecurity failures in these devices can wreak.
"These devices offer us a tremendous amount of convenience, but also expose us to risks we may not have spent a lot of time thinking about," Gagan Singh, senior vice president and general manager of mobile at Avast, said in a session at Mobile World Congress Americas in San Francisco on Wednesday. "It's not just digital risk, but physical." For example, a hacker who gains access to your home's smart thermometer can very easily determine when you are at home or away, leaving your house vulnerable, Singh said.
Further, the harm caused by Internet of Things (IoT) devices is more permanent. "If someone has access to a live video stream of a security camera in your home, once that's on the internet, it's there forever," Singh said. "In the old days, if you had a burglary, you could replace the physical assets, but this digital harm is often irreparable."
Cybercrime is getting easier to achieve, attribution is almost impossible, and thanks to the proliferation of IoT, hackers have the ability to attack millions of devices at once, Yossi Atias, general manager of IoT security at BullGuard, said in the session. "There is no boundary between digital and physical anymore," Atias said. "IoT devices control physical aspects of our lives, which opens a wide range of possibilities to cause damage. The boundaries are artificial between consumer IoT, industrial IoT, and enterprise IoT—they're all connected to the same network, and we've seen combined attacks."
The number of connected devices in use is expected to reach 25 to 35 billion in the next two to three years, Singh said. And the type of devices will also expand rapidly to include things like delivery drones.
"All of these devices have intimate details of our lives stored in a server, and we're relying on someone else to be a good custodian of that information," Singh said.
The true issue is protecting the data on the device, not the device itself, Singh said. The best way to do this is to work with a reputable vendor, and to update your software regularly, he added.
"We're experiencing a period that's very exciting, because there is a lot of innovation going on and different parties racing to deploy new applications, devices, and techniques," Domingo Guerra, co-founder and president of Appthority, said in a panel discussion. However, not enough attention is being paid to the potential risks. "We've seen it before where we deploy smart traffic grids or street lights and never think about how to secure it or patch it until it's too late and too costly to address," Guerra said. "The main risk is not enough caution and foresight into how to address this new innovation securely."
Many IoT device manufacturers do not include security in the design phase, said David Schwartzberg, senior security engineer at MobileIron. These manufacturers analyze their project from a cost perspective and time to delivery, and security often falls by the wayside. "There are too many devices for security professionals and pen testers to keep up with," Schwartzberg said. "If they can build security into design before releasing a product, they will have more people buy their product."
When it comes to security in general and cybersecurity and IoT specifically, there are four circles, Dror Liwer, co-founder and CSO of Coronet, said in the panel discussion: Government (which will need to provide regulations to companies), manufacturers (which should be responsible to build secure products and educate users on how to use them properly), enterprises (which need to ensure they know how to implement security protocols and patch problems regularly), and individuals (which need to learn good cyber hygiene).
"In the balance between convenience and security, convenience always wins," Liwer said. "Security has to be convenient." For example, 63% of Americans conduct banking transactions on open Wi-Fi networks, Liwer said. "They know it's risky, but still do it, because it's easy," he added. "We need to make security easy, as if it is part of the fabric, not something they need to learn or add on top of [a device]."
Regulation of IoT devices has been slow. Some 47 US states have security breach notification laws, but only 31 states have data disposal laws in place, Singh said.
"Government regulation is the only way this is going to happen," William Malik, vice president of infrastructure strategies at Trend Micro said on the panel. "Automobiles didn't get safer until the government regulated them." However, Schwartzberg said he believes that it is up to industries to solve the problem.
As the internet moves into every part of our lives, society needs to take a more holistic view on security education, Rebecka Cedering Angstrom, director of Ericsson's Networked Society Lab, said on the panel. That includes parents educating children, and employers educating employees. "It's not up to one company or industry to educate all of us—it needs to be a natural part of society," she added.