Securing our Internet of Things

If we learned one thing from the DDoS attack that took down many websites on Friday, it is we still have a long way to go when it comes to securing all the connected things in our lives. This particular attack used insecure devices like IP-connected cameras with weak security as tools to perform the attack. This type of focused attack is one way to interrupt internet service and could be used to take down, not just websites, but our payments grid or any number of things which could wreak significant havoc on our society. Let’s hope this attack serves as a wake-up call for the industry.

This whole ordeal caused me to think about the range of connected devices I have in my house and wondering about their security. Most of the devices I have, I have personally secured and I don’t have my DVR (one of the types of IoT devices used in this attack) connected to the Internet. In most cases, I know the security I have in place for my IoT devices but one in particular I had to look into more deeply–my solar panels. Our solar array is connected to our network so I can monitor how it is performing. We secured the log-in with a strong password but they can also be remotely accessed in case we need support from the company we purchased the system from. It was this remote access that I was not aware of the security measures in place.

In many cases, I was fairly aware of the security measures. I’m guessing most consumers are not. The challenge the industry has is to bear the burden of taking the necessary steps to provide increased security and encryption of these devices because the reality is many consumers will not know to take additional measures themselves.

Apple outlines the security measures in place for Homekit devices and this is a solid initiative to provide a framework for security. However, many of the companies selling connected refrigerators, thermostats, IP cameras, coffee pots, etc., are likely not to use just Homekit but other emerging standards as well. The burden of responsibility is on companies providing these consumer products to enforce either stronger passwords or two-factor authentication (or both) in order to make sure consumers are taking the nececcesary steps to secure their IoT devices so they can’t be used for malicious cyber attacks.

Interestingly, in this case, it wasn’t necessarily the fault of the brand selling the IoT products but the component company behind them. Hangzhou Xiongmai Technology admits its products were used in the attack as a malicous worm exposed the weakness in the default security in many of the products their components are found in. The company has said they have sinced patched this vulnerability and consumers should update their firmware if they haven’t already.

My concern with the state of the market right now is the companies rushing to capture a part of the growing connected and smart home market are not fully thinking through the implications of dozens of connected devices in consumers’ homes they may not secure correctly. Consumers, although they will say they want and understand the value of security, rarely take the steps to ensure their own security and privacy. This is why it is so important for companies to bear the burden of this for consumers where they can or making sure they help consumers step up the level of security around their connected products.

Published by

Ben Bajarin

Ben Bajarin is a Principal Analyst and the head of primary research at Creative Strategies, Inc - An industry analysis, market intelligence and research firm located in Silicon Valley. His primary focus is consumer technology and market trend research and he is responsible for studying over 30 countries. Full Bio

9 thoughts on “Securing our Internet of Things”

  1. It would be interesting to look at Denial-of-service attack as a manifestation of WWW AI. Organizers of Mirai know more than “white” security experts about the security of IoT devices. Wouldn’t it be just another Holly’s from Red Dwarf “Sorry,Dave…”?

  2. I have a related, but slightly different issue that I just encountered. It requires a short explanation.

    My car has a loud scraping noise coming from the right rear tire. Undoubtedly, a brake pad issue. I called a Ford dealer earlier today on my iPhone (7), discussed the issue with a technician, and made an appointment to take it in and have it worked on.

    This comment is the first time I have posted about it on the internet. I have not searched for it or otherwise viewed any websites related to it.

    I opened Google Chrome on my Surface Pro 3, and saw an “Adchoices” ad served up by Google. It was unusual enough that I took a screenshot of it. I can’t post it here, but this is the text:

    Mercedes-Benz (Official)

    Our Brakepads Eliminate Virtually All Brake Noise. Watch and Learn More.

    The text is accompanied by a video showing a wire-frame animation of brake pads on a wheel.

    So I’m left to wonder how they could have possibly gotten this info on me and served up an ad. It is too much of a coincidence to be a coincidence. Then I remember that the iPhone now does voice-to-text on all voicemail, giving you a rough preview of what the person said in a message. And I have Chrome on my iPhone, which may matter.

    Whether it was Apple, Google, or both, I cannot come to any other conclusion but that they actually data-mined my audio call with the Ford dealer using text-to-speech without my knowledge, and that info was somehow translated into a Mercedes ad through Google, addressing the precise issue I have with my car.

    Am I crazy, or is this happening? Did I consent to it without knowing?

    1. Was just reading about Project Hemisphere, which is receiving scrutiny as part of AT&T’s merger attempt. It may be Verizon doing this. But AdChoices is Google. I’ve been racking my brain for some point where I typed it into Google or visited a website about the subject. I can’t come up with it. And the ad appeared within a couple of hours after I made the call.

Leave a Reply

Your email address will not be published. Required fields are marked *