Securing our Internet of Things

on October 24, 2016

If we learned one thing from the DDoS attack that took down many websites on Friday, it is we still have a long way to go when it comes to securing all the connected things in our lives. This particular attack used insecure devices like IP-connected cameras with weak security as tools to perform the attack. This type of focused attack is one way to interrupt internet service and could be used to take down, not just websites, but our payments grid or any number of things which could wreak significant havoc on our society. Let’s hope this attack serves as a wake-up call for the industry.

This whole ordeal caused me to think about the range of connected devices I have in my house and wondering about their security. Most of the devices I have, I have personally secured and I don’t have my DVR (one of the types of IoT devices used in this attack) connected to the Internet. In most cases, I know the security I have in place for my IoT devices but one in particular I had to look into more deeply–my solar panels. Our solar array is connected to our network so I can monitor how it is performing. We secured the log-in with a strong password but they can also be remotely accessed in case we need support from the company we purchased the system from. It was this remote access that I was not aware of the security measures in place.

In many cases, I was fairly aware of the security measures. I’m guessing most consumers are not. The challenge the industry has is to bear the burden of taking the necessary steps to provide increased security and encryption of these devices because the reality is many consumers will not know to take additional measures themselves.

Apple outlines the security measures in place for Homekit devices and this is a solid initiative to provide a framework for security. However, many of the companies selling connected refrigerators, thermostats, IP cameras, coffee pots, etc., are likely not to use just Homekit but other emerging standards as well. The burden of responsibility is on companies providing these consumer products to enforce either stronger passwords or two-factor authentication (or both) in order to make sure consumers are taking the nececcesary steps to secure their IoT devices so they can’t be used for malicious cyber attacks.

Interestingly, in this case, it wasn’t necessarily the fault of the brand selling the IoT products but the component company behind them. Hangzhou Xiongmai Technology admits its products were used in the attack as a malicous worm exposed the weakness in the default security in many of the products their components are found in. The company has said they have sinced patched this vulnerability and consumers should update their firmware if they haven’t already.

My concern with the state of the market right now is the companies rushing to capture a part of the growing connected and smart home market are not fully thinking through the implications of dozens of connected devices in consumers’ homes they may not secure correctly. Consumers, although they will say they want and understand the value of security, rarely take the steps to ensure their own security and privacy. This is why it is so important for companies to bear the burden of this for consumers where they can or making sure they help consumers step up the level of security around their connected products.