Let’s skip the part where we talk about how many fancy IoT devices people will have in 5 years. We can also skip the part where we talk about the benefits of these devices. Let’s face it, we love these devices and we will keep buying them. We do that because we believe in the connected future.
But some of us (at least I am) are a little bit concerned about the potential risks related to the security and privacy of these connected devices. Hacks happen almost on a daily basis. In fact, some say that every single Fortune 500 company has been hacked. But with IoT, these hacks will be very personal: someone will hack into your living room, someone will hack into your baby monitor, and someone will take over your smart TV. Examples of IoT hacks can be found from here.
Why is it that these connected devices are being hacked over and over again?
The list below, while not exhaustive, explains some of the reasons why these new connected devices are so easy to hack and why we’re likely to see more hacks in the future.
MVP stands for Minimum Viable Product. The point an MVP is to build something fast and put it on the market to learn about customer reactions. As you get more feedback you iterate or maybe pivot. Needless to say, there is tremendous pressure to release the MVP as soon as possible. As the team is spending all their waking hours getting the product released, do you think security and privacy get the right amount of attention? There are numerous examples that indicate that the answer is no.
Ease of use and coolness trumps security. Another problem is that security loses against usability and coolness when new products are being designed. In most cases we’re talking about simple tradeoffs: do you ask the user, for example, to create a strong password during the setup process? By skipping this step, the setup process will be shorter and smoother. Often, the (initial) customer experience is more important than security and privacy.
Security experts can be difficult to come by. Pick an established company that has been making, for example, thermostats for the past 50 years. In the old world, that thermostat was not connected to the internet and customers didn’t control it with an app. Security and privacy were not issues. The new world is obviously different and modern thermostats are connected to the internet, perhaps to an IoT hub, and they may be controlled by a smartphone. Clearly engineering teams need new talent with a focus on cyber security and how to manage customer data. But this talent may not come cheap (and it might not be readily available).
Ship fast (and forget it). Anyone who has ever worked at product company knows the happiness (and pressure) of releasing new products quickly. Immediately after the first product is released, you start working on the next one and then the next one. Customers don’t, however, always buy all of the latest and greatest models (even if we want them to). Customers probably expect that a connected thermostat, for example, will stay put for the next 3, 5, maybe even 10+ years. The question is, will the vendor keep updating the software on the first generation thermostat? Or are their best and brightest people working on the 11th generation product? The “Ship and forget” mentality leaves customers with devices that are running several years old software that has never been updated, and hence, these devices might have severe security flaws.
Customer as the weakest link. Even if an update was available, would your typical customers go through the hassle of updating their IoT devices? Would they have the energy? Would they have the skills? Would they bother to change the default password on their new gadget? No matter what manufacturers do, the customer might still be the weakest link when it comes to securing various IoT devices.
Complex supply chain. The worst part for the device vendors? Suppliers and partners who let you down! Very simple: you built a great product and yes, you cared about security and privacy…only to find out that your manufacturer got hacked several years ago and every device leaving their factory is already compromised. Or maybe the cloud vendor you used to store valuable customer data didn’t bother to secure its cloud. Choose your partners carefully: you never know who will jeopardize your brand.
Cybercrime as a service. By now you’re starting to get the point. Securing IoT devices can be quite complicated. Let’s add one more factor: the fact that nowadays almost anyone can become a hacker. Just by watching YouTube videos people can learn basic skills. For people who want to take this to a new level, there is the dark web. Anyone can buy exploit kits from the dark web, pay with bitcoins, and the customer service is actually better than with most cable providers! Why would someone bother? Money. Some believe that ransomware will move from computers to IoT devices.
Does this mean that we’re doomed? Should people put their IoT shopping sprees on hold? I don’t think so. But should consumers pay more attention when it comes to buying devices and connecting them to the Internet? Yes. Should the consumers go through the hassle of using unique passwords and making sure they update the software on their various devices? Yes, absolutely.
My old boss used to ask us a critical question whenever we were working on a new feature or when we were about to release a new product: “Are you proud of this product?”. It was a simple question that made us all think if we were truly ready. I can challenge you to add a second part to that question: “Do we have plans to keep this product and the customer data we collect secure?”.
For my part, I will keep debating with my wife which devices are connected to the Internet and which are not.