Delegates at the World Economic Forum have been told that weaponization of the IoT is a real and present threat.
John Drzik, president of Global Risk at cyber security specialist Marsh, told the World Economic Forum in Davros that IoT manufacturers are prioritizing ease of use ahead of security. In doing so, he argued, devices ranging from autonomous cars to drones and smart thermostats are at risk of being used for malicious intent.
John Drzik begins speaking at the 25:03 mark.
Although Drzik’s points come shortly after large-scale cyber-attacks harnessed IoT devices to cause chaos across the connected world, he highlights the potential for criminal activity to become much more personal. Targeted attempts on homeowners with smart thermostats that lack strong security could lead, in the best possible case, to ransom demands.
“You think what could be done with smart thermostats if you have malicious aims in life. It’s beyond science fiction now, it’s happened,” said Drzik.
“Manufacturers aren’t thinking about cyber-security when they are building [a device]. They are thinking: ‘How am I going to connect this to the Internet and supply the convenience to the household and make sure the thing works.’ They weren’t thinking ‘I’ve just widened the attack surface in this household for cyber-security.’ That’s where there is a governance gap right now.”
Weaponization, liability issues and consumer expectations are challenges to autonomous IoT devices
Drzik also delved into the complicated world of liability, specifically when dealing with autonomous cars and drones. While automated vehicles could save thousands of lives through the prevention of accidents and help combat climate change, Drzik rightly pointed out that “You are not going to get 20,000 ‘thank yous’ (one for every life saved) as a result”. Instead, the focus will be on the minority of times when things go wrong or when weaponization occurs.
On drones, Drzik said:
“What if one of these things flies around and crashes into you. Who is responsible? Is it going to be the company using it? The company that built it? The software developer who built the intelligence within it? It’s unclear right now. You have these black box decision-making things that you are using somewhere in your business. Who is responsible? It could be whomever has the deepest pockets. And that’s where if you’re a big business you really have to worry.”
Is potential weaponization a price we have to pay for a successful IoT?
Speaking exclusively to Internet of Business, Ian Hughes from 451 Research suggested that security and usability needn’t be mutually exclusive.
“I do not believe that having insecure devices is a trade-off for the convenience of connectivity,” he said. “There is a risk in any connected system but we need to move to more robust standards across all systems, potentially learning from industrial IoT. Government regulation and policing needs to be in place to ensure standards are met.”
Speaking to Internet of Business, Gemalto marketing and business development director Manfred Kube disagreed that insecurity is the price we have to pay for connectivity.
He said: “Though we have seen IoT adoption approach a tipping point, IoT will not become a part of the mainstream with consumers unless they can trust that their connected devices are secure and their privacy is guaranteed. However, weaponization isn’t a price we have to pay, if the right security solutions are in place. Privacy, security and trust must not be an afterthought when designing for IoT.”
Manufacturers have the most obvious role to play in making devices more secure. “Manufacturers have to consider the entire system that a device may connect into and ensure that their device is not the weak link, nor susceptible to the weak links of others in the chain,” said Hughes.
“This is not simply making sure username/passwords are not obvious or well known, but will have to include constant updates and anomaly detection processes. The software industry offers the working patterns for this, but it requires product manufacturers to evolve into service providers with the correct resources in place. Most previously unconnected products have not required anyone to consider live runtime maintenance once a product is shipped.”