SANTA CLARA, CALIF.—Implementing little or no security measures at many endpoint devices could threaten adoption and growth of Internet of Things (IoT) solutions that promise significant efficiencies to enterprises and consumer, according to panelists at Internet of Things World 2018 examining security concerns.
Long ignored by the IoT community, cybersecurity risks associated with connected devices is starting to get the industry attention it deserves, according to John Horn, an independent IoT executive who said he has worked in the space for 18 years on the network, platform and solutions aspects of IoT.
“One thing’s for sure: We’re talking about security a lot now, and it’s about time,” Horn said yesterday during the session. “It used to be that it got mentioned once in an entire conference, but I think every single person that has been on the stage today has mentioned security at least once, if not quite a few times.
“It’s absolutely critical, and I think the biggest challenge that we face is that your entire ecosystem of whatever it is you have—your city, your home, your car or whatever the infrastructure is—is only as strong as the weakest link. A lot of people ignore the weakest link, because they don’t think that’s the easy way or that’s really that critical, but there’s countless examples … where that weakest link was the access to everything bad that happened.”
And there are plenty of weak links in IoT devices, according to panelists. Greg Kahn, president and CEO of the Internet of Things Consortium, said that 70% of the most commonly used IoT device have security vulnerabilities, citing research from Ernst & Young and Hewlett Packard.
Justin Blair, Verizon’s executive director for global business products and solutions, said Verizon’s recent independent research revealed that 50% of business surveyed said they were not aware of—or were not concerned about—cybersecurity risks. The research also unearthed another troubling trend, he said.
“Almost 40% [of businesses responding to the survey] admitted that they’re still using default passwords in their spaces—and these are businesses, not consumers,” Blair said. “It’s frightening.”
Horn agreed that measures should be taken to improve users’ awareness of security and the potential risks that unsecure IoT devices can create.
“We have warnings on everything that everybody buys. Why don’t have more about security?” Horn said. “Stick it on the box or stick it on the device … so people realize that this is a potential entry into your network—whether it’s your privacy or something that could be much more diabolical that could happen with your home or your car. We’ve seen consequences already.
“We’re going to have to do something. As these networks and these devices become more pervasive, the consequences are going to become much greater.”
Blair said it is important that the IoT community developed strong security measures that users can implement easily.
“I think security has to be simple, and it has to work,” he said. “The minute [security] stops working and it’s not simple, people stop using it, and now they’re insecure. I firmly believe that it should be very network-based, so we can have a product that will be useful for years to come and that you can build upon.”
Michaelene Holder-March, director of governance quality and nursing partnership with the National Health Service in the United Kingdom (UK), said balancing the benefits and security risks associated with IoT functionality in the healthcare industry is a real concern, particularly as the technology is provided to at-home patients.
“The benefits for a healthcare setting is that we’re saving millions, in regard to reduced amount of admissions and discharges, the social aspect of it,” Holder-March said. “The risk is not really understanding the system that we’ve placed in their homes, when to switch it off and how it impacts their privacy.”
Horn said that the access networks have proven to be “very secure” and that there haven’t been failures in the solution layer of the IoT ecosystem, but the same cannot be said about many IoT devices that available today.
“No one thinks that doorbell service is going to be the access to basically take control of your home and create a difficult environment,” Horn said. “I think it’s critically important that we realize that all of these little parts are really the biggest challenge.
“Someone said today in one of the keynotes, ‘Don’t worry about the little stuff; we’ve got to take care of the big stuff.’ I think it’s just the opposite. I think the big guys—the carrriers—are doing a great job of taking care of the big stuff. It’s at the device level [where security problems exist,] and it’s got to get better.”