The internet of things (IoT) is a seemingly ever-expanding market, with IDC predicting that it will grow to 41.6 billion connected devices by 2025, carrying more than 79 zettabytes of data. Connected devices have become a mainstay in industries including manufacturing and healthcare, and much of this growth is also driven by consumers purchasing connected devices such as smart speakers and TVs, to thermostats and kitchen appliances.
There is clearly a lucrative opportunity for vendors, however, these devices need to be robustly secured by manufacturers and service providers, otherwise they could leave the back door open for cybercriminals to enter the connected home.
IoT threats on the rise
The number of IoT threats observed by F-Secure Labs doubled in 2018, with most using predictable, known techniques to compromise devices. Nearly nine out of 10 observed threats (87 percent) targeted weak or default credentials and/or unpatched vulnerabilities.
Indeed, the FBI has said that threat actors are compromising IoT devices “with weak authentication, unpatched firmware or other software vulnerabilities, or employ[ing] brute force attacks on devices with default usernames and passwords”.
While these vulnerabilities would allow a threat actor to hijack a device, clearly threat actors are not breaking into the connected home with the aim of controlling the central heating. Instead, IoT devices are generally used as the gateway for further attacks.
Many of the new threats observed relate to threat actors using the computing power of connected devices to mine cryptocurrency. There is also the risk that, as smart homes are ecosystems of interconnected devices, one connected gadget with weak security could enable a threat actor to compromise the entire network. This could have implications for the privacy of those living in the connected home, with cybercriminals potentially able to find out almost anything about a family’s homelife – for example determining when the home is unoccupied and vulnerable to burglary. Attackers may also use IoT devices as a stepping-stone to data on laptops and mobile devices. Such interconnectivity also means that one infected device could also greatly reduce the efficiency of others.
These obvious security risks are creating a sense of urgency that a comprehensive cyber security solution is required to defend the connected home.
Opportunities for securing the connected home
Aside from the likes of Google, Amazon and other experienced tech giants, many vendors of IoT devices have little or no prior experience in creating them, meaning that they often overlook security. Until recently a lack of regulations has meant that manufacturers were not held to account for poor security. Fortunately, law makers are catching up, with California having introduced legislation to force manufacturers to install security from 2020 and the UK now considering similar measures.
Manufacturers, however, should not simply build in security because they are compelled to by law. Instead, they should be providing greater security in their devices as a selling point. Privacy concerns have come to the forefront for consumers following scandals such as Cambridge Analytica, and they are showing an appetite for tech that protects their personal data.
Manufacturers can begin to produce devices that are able to withstand cyber attacks by following code of practices such as the UK’s Secure by Design. This contains 13 practical guidelines to help manufacturers protect the privacy and safety of consumers, while making it easier for them to securely use their products.
There is also a significant opportunity for ISPs to provide security to protect all devices within the connected home. By providing a comprehensive set of security solutions such as secure routers, parental controls and apps, ISPs can help protect a network, regardless of the security measures on individual devices. This is likely to be a key selling point for security-conscious consumers.
Consumers want to be safe when they use connected devices, but they do not want to have to do anything overly complicated to do this. By offering easily secured devices and straightforward solutions, vendors have the opportunity to secure the trust of consumers and protect their reputations, both of which will stand them in good stead as the connected home market continues to grow.
By Tom Gaffney, Security Consultant at F-Secure