Why Securing The Internet Of Things Presents Such A Massive Challenge

There are an estimated 8.4 billion internet-enabled devices active today that make up the massive, interconnected Internet of Things—many of which fail to meet basic security standards that leave users at risk.

That already significant issue is only being made worse as more devices come online every day and it’s a problem that Zuora chief security officer Pritesh Parekh, Walmart Vice president and deputy chief information security officer Adam Ely and Juniper chief technology and security officer Kevin Walker regularly think about.

The trio spoke Tuesday at the Structure Security event in San Francisco, where they laid out potential areas of focus for wrangling the unruly collection of internet-connected devices, as well as presenting some of their biggest fears about current flaws.

Those fears ranged from the seemingly innocuous—such as an internet-connected light bulb transmitting a Wi-Fi password unencrypted to a database with no password that could eventually lead to a breach of a network—to dangerous and life-threatening incidents, like a car wash being hijacked and controlled remotely to damage a vehicle or trap a person inside.

In each case, there has already been evidence to suggest such attacks could happen—smart light bulbs have exposed people’s Wi-Fi passwords, and hackers have discovered a way to hijack car washes to take control of each element of the cleaning system.

"I'm thinking about the lessons we haven't learned yet,” Ely said. “The challenges that we see with all these IoT attacks... we haven't learned those lessons, manufacturers haven’t learned those lessons."

Ely said during his time working at TiVo, the security team was concerned about the possibility that the company’s devices, if left unsecured, could be hijacked and used to create a botnet that would contain millions of internet-connected devices located around the world.

That was a concern of the TiVo team in 2009. In 2016, the Mirai botnet used millions of unsecured IoT devices to launch denial of service attacks against Domain Name System (DNS) provider Dyn and took down popular internet services and websites including Amazon, Netflix, Spotify, Twitter, CNN and others.

With many IoT device makers still failing to defend against threats that experts were concerned about more than a half-decade ago, a question arises as to how the growing collection of internet-connected devices can be secured.

According to Walker, the best solution is for consumers to vote with their wallet. “I think at the end of the day, for IoT, I think the market has to drive the answers,” he said. “Demand better quality products with your wallet."

Walker didn’t rule out the possibility of government legislation, but noted the people who write legislation often aren’t experts and a standard set in one nation doesn’t necessarily solve the problem for manufacturers working in other countries.

He suggested a “framework guidance,” be it from the government or from industry groups, could provide for better standards. Walker pointed to how the National Highway Traffic Safety Administration (NHTSA) has worked with automotive makers to set up frameworks for self-driving cars as a potential example for the Internet of Things.

Ely said the framework could create a full cycle of security standards if partnered with other organizations that held IoT device makers to the higher standard. “After we come out with a framework and a guidance for safety of connected devices, manufacturers can build to secure standards,” he said. “Then we can have consumer organizations...that can start to actually measure that compliance.”

For the time being, those protections aren’t in place and consumers are left to do the research on their own to ensure they aren’t introducing a device into their home that could present a security risk. It’s a situation that in the long term isn’t tenable.

"Consumers should be educated about device safety but it shouldn't be an option,” Pritesh Parekh of Zuora said. “By default, these devices should be secure."

For now, consumers have to live with the possibility that their device is collecting information about them—a problem that presents as many privacy concerns as it does security-centric ones.

"If [a device] has a microphone, we have to accept the fact that we don't have privacy in front of that device because we don't control that device," Ely said. "We may have gone out and purchased it from a retailer but we don't really own the operation of it."

His advice to consumers: think about the risk involved with each device and “if the risk is too high, don't do it."

Editor’s Note: Newsweek Media Group and International Business Times partnered with Structure to host Structure Security 2017.