In May, news surfaced about a researcher who allegedly hacked into a commercial airplane’s systems and gained control of one of its engines during flight. Within months, various security researchers showed the world how they could remotely take control of a Jeep on a highway and remotely unlock a Tesla. A few years ago, reports of hackers hijacking wireless pacemakers stirred panic, and more recently the devices in our homes have been shown to be easily compromised.
Advice from cybersecurity experts: expect a lot more of this going forward.
{mosads}Where once we spoke of household appliances, vehicles, medical devices and other equipment as “standalone” devices, this distinction has blurred in recent years and is often no longer true. No matter their function, more and more of the objects in our daily lives are now connected to the internet and are accessible wirelessly. They’re networked together and trading information – and the more this happens, the more we rely on the conveniences afforded by this increasing connectivity. As such, the so-called “Internet of Things” (IoT) is the new frontier of vulnerability.
CNN reported in February that some Samsung Smart TVs are equipped with voice recognition, which has a mode that can capture what you say for transmission to servers around the world. Who wants the TV in the family room eavesdropping on conversations? Apparently, many of us, are willing to trade some privacy for convenience, as is demonstrated by the adoption of products like Amazon’s Echo. By default, this device is always listening for its “wake word” in order to preform various user commands, unless the microphone is physically turned off. Having the ability to simply speak anytime we want something is enormously convenient (and the more companies we buy from learn about us, the better they can serve our needs), but in the wrong hands such technologies can be very scary. In essence, anyone who can hack such devices can listen to everything that goes on around us.
The more people adopt a particular technology, the harder cybercriminals will work to find ways to exploit that technology. Considering that a recent IDC report forecasted the IoT market to grow from $658.8 billion in 2014 to $1.7 trillion in 2020, we should be exploring not just the rewards of our interconnected future, but how to limit and manage the risks as well.
Simply put, it’s a balancing act: the more we connect appliances and devices the higher the value to us, but also the greater the risk that cybercriminals will use the increased accessibility against us. For this reason we should think about the IoT acronym as having two meanings: the “Internet of Things” and the “Internet of Threats.”
Last year, one of our security researchers, David Jacoby, conducted a research experiment in his own living room – a personal cyber-security audit of sorts. From his Blu-ray player to his Smart TV and across all of his network attached storage and other computer devices, he wanted to find out how vulnerable they were to cyber-attack. The not at all surprising answer was sobering. He discovered a vast set of vulnerabilities that attackers could exploit from weak passwords, to a lack of encryption, to hidden features that leave users exposed. And as we look around, we realize that such IoT devices are everywhere – not simply in our pockets but preparing our food, controlling our homes and transporting our families.
The threat is looming and obvious to anyone willing to look towards the horizon. The question that really faces us is what should we do about it? How do we establish a secure framework for the new IoT world that is inevitably coming?
Policy makers are beginning to produce ideas for dealing with the challenges ahead. In the transportation sector, Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced legislation requiring federal standards for automakers to secure vehicles against cyber-attack. But legislating the digital world is a challenge because policy processes move more slowly than cyber criminals.
That is why this is not just a legislative issue. It will take much more work across the board to increase the needed protections for consumers. Every agency and industry has a stake, and vulnerabilities to avoid, in this work. Industries exploring IoT technologies must consider the security and privacy risks at each stage of development and should collaborate with experts in the cybersecurity industry. Policy makers must recognize the implications of an increasingly networked society. Security is no longer a box that one checks off at the bottom of a long checklist – it should be baked into everything that is done, every step of the way.
The longer we wait to assume the responsibility that IoT truly requires, the more expensive it will become to “fix” it later. Already, recent research from MarketsandMarkets indicates that the global IoT security market is expected to grow from $6.89 billion in 2015 to $28.90 billion by 2020, and that’s without any high-profile financial losses or privacy breaches (yet).
There is already a huge amount of competition around IoT and as companies rush to beat competitors to market and seek new ways to enhance our lives with convenience, automation and seamless service, security may seem a secondary concern. But this is a mistake. The cost of insecurity is too high – we either pay now by factoring-in security, or the cost to us all will be much higher later, in the form of losses and retroactive “fixes.”
Now is the time for us to work together to safeguard all our connected devices.
Doggett is managing director of Kaspersky Lab North America.