https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

IoT security

Why IoT Security Faces Similar Challenges to Gun Control

Top-down security controls that interfere with usability can spark opposition.
  • Written by Brian Buntz
  • 15th March 2019

Let’s compare, for a moment, Internet of Things devices to guns. To be sure, the comparison is an imperfect one, but the prospect of securing IoT devices — along with traditional computing devices — bears a certain resemblance to gun regulation. Both guns and IoT devices have clear legitimate uses, but potential for misuse. The volume of guns and IoT devices in circulation has considerably increased in the past decade. Furthermore, IoT devices can be weaponized — and in the case of critical infrastructure, industrial environments and autonomous cars, they can pose a safety risk. But top-down approaches to address insecure IoT devices and gun violence are at once challenging to implement and can fuel debate as to the best means to address them.

Top-down approaches for cybersecurity can lead to increased product and technological deployment costs. And while they can decrease risk, they can often interfere with usability. As with gun control, such measures can spur pushback from device users. For instance, New York resident user Jay Brodsky filed a class action lawsuit against Apple for coercing users into using two-factor authentication. Brodsky argues in the filing that users should be able to decide for their own security level, enabling them to “freely enjoy and use” their devices.

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

A similar example can be found when the smart home company Nest recently made headlines after a California family with a Nest camera received a warning through the speaker in the device warning of a bogus North Korean missile attack. Nest parent company Google responded to this and other similar breaches with this statement to Mercury News, which first published the story: “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of security risk.” Google also revealed it is “actively introducing features” to force users with compromised passwords to update them. The company is also offering features for account monitoring while keeping tabs on users who exploit credentials.

The parallels between IoT security and gun control are fairly clear. But in another regard, Nest and other IoT technology providers are in a similar position as medical professionals rationally arguing to anti-vaccination advocates that vaccines are in their best interest. Two-factor authentication is somewhat analogous to getting a booster shot. Sure, it’s unpleasant in the short term, but it beats getting the measles — or getting hacked. But as with vaccinations, even a small percentage of people who chose to view cybersecurity as an infringement to usability can make the entire ecosystem less secure.

“How much blame can you put on Nest because they want to be in the market and sell a product?” asked Chester Wisniewski, principal research scientist at Sophos. “If they force people to put two-factor on their cameras, then some people would stop buying these cameras because some people are that stubborn about not doing something to protect themselves. Where do you draw the line on these things?”

Wisniewski recounts asking a chief information security officer at a credit union why the company offers two-factor authentication. “And he said: ‘It’s just a math thing when you are a business offering a product.’” It could potentially be expensive for the organization to implement, but it could theoretically reduce the cyber-risk profile for its customers if it were mandatory. But the very people who ask for two-factor authentication tend to be the ones who are security minded, who already have secure passwords. “The people who are most likely to be hacked are the people who don’t care. And they wouldn’t turn [two-factor] on if it was optional,” Wisniewski said. And if the credit union made two-factor mandatory, Wisniewski suspects that such users would simply find a new bank that didn’t require it.

“This is actually the story of IoT writ large,” Wisniewski said. Both end users and manufacturers play a role in creating an unsecured ecosystem. According to Wikipedia, “123456” and “password” have been vying for the dubious title of being the most-popular passwords since 2011. A number of manufacturers have been similarly lazy in their use of, for instance, “admin” as both the default username and password for networked devices such as routers, IP-connected cameras, networked industrial hardware, connected medical devices and other IoT devices. The widespread use of default usernames and passwords — and the fact that few companies have forced users to pick new and secure replacements for them, helped feed the 2016 Mirai botnet, which enabled an army of connected routers, surveillance cameras, DVR devices and other gadgets to lead cause prominent websites such as Reddit, Netflix and Airbnb to be inaccessible for many users, primarily in the United States. In the IoT world, Mirai was something like the 1999 Columbine High school shooting — a headline-grabbing event with the seeming potential to drive more stringent security across the landscape. But the Columbine shooting and the Mirai botnet provided a template for future attacks rather than kick-start a new security template. The 2019 Nokia Threat Intelligence Report notes that “IoT botnet activity has increased substantially since the introduction of Mirai in 2016” with many IoT botnets building on Mirai’s source code, which was made open source in October of that same year.

Returning to the comparison between IoT devices and guns, industrial organizations — especially utilities and energy firms — are in some respects similar to the military. They have defined procedures for procurement and training users to operate equipment safely and they have the clout to influence whole ecosystems.

“With the industrial IoT, a lot of the market is driven by a few very large purchasers who can kind of dictate what the product space is going to look like, at least for their new acquisitions, Wisniewski said. If, say, an oil-and-gas company is spending half a billion dollars to rebuild part of a refinery, they are likely to force its suppliers to meet a defined security threshold. Wisniewski said this growing security awareness among prominent industrial firms and government organizations like NASA is having a trickle-down in the industrial IoT ecosystem.

While there is growing movement toward IoT-security–related standards, best practices and regulation such as a California law that would raise the bar for devices sold in the state beginning in 2020, instituting sweeping changes to the IoT security ecosystem across the entire world could be as unlikely as passing significant changes to U.S. gun laws. One possible response from IoT manufacturers to California’s upcoming IoT legislation is to simply stop selling products to citizens in the state. “The truth of the matter is, we can’t tell the whole world they can’t have an insecure camera, and that means we still have a problem when we’re talking about denial of service,” Wisniewski said. “To solve this, you have to fix it within the supply chain, so the incentive needs to somehow affect the manufacturers of these things in Malaysia, China, Taiwan or wherever they are made.”

“I think one of the ways we might see progress is in international trade treaties,” Wisniewski said. “If the WTO and others can make cybersecurity a priority and decide on international standards [for IoT devices sold throughout] the world, that could be a pressure point.”

Tags: Security Features Opinion

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Microsoft Extends Secured-Core Program to IoT Devices
  • Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration
  • Unmanned Robotic Combat Vehicle Being Tested
  • Image shows a Close up of lens on black background
    Carnegie Mellon Researchers Invent System to Find Hidden Cameras

Roundups

View all

IoT Product Roundup: Canonical, InfluxData, Wiliot and More

23rd June 2022

IoT Product Roundup: Cisco, Telit, Draganfly and More

9th June 2022

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Image shows Unilever's Alberto Prado at AI Summit 2022 in London

AI Summit 2022: Unilever’s Alberto Prado

Prado talks about how Unilever is using AI to accelerate the speed of new discoveries and gives them access to more breakthrough innovation

Image Shows John Lewis' Barry Panai at AI Summit London 2022

AI Summit 2022: John Lewis’ Barry Panayi on AI in Retail

Panayi talks about data and AI in retail and how individuals and the technology can work together

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🤔 Looking for 3 Strategies to Avoid IoT Key Theft? We’ve got you covered! As tech companies continue to develop an… twitter.com/i/web/status/1…

5th July 2022
IoTWorldToday, IoTWorldSeries

AI Summit 2022: Unilever’s Alberto Prado dlvr.it/STMpRN https://t.co/1dyLREr8N6

5th July 2022
IoTWorldToday, IoTWorldSeries

Seoul Robotics Expands 3D Perception Platform across South America dlvr.it/STMhSV https://t.co/a10l3Eb2Kn

5th July 2022
IoTWorldToday, IoTWorldSeries

Microsoft Extends Secured-Core Program to IoT Devices dlvr.it/STMg4k https://t.co/laBPF5VjC4

5th July 2022
IoTWorldToday, IoTWorldSeries

Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration dlvr.it/STKWjb https://t.co/LdRg7a2xqU

4th July 2022
IoTWorldToday, IoTWorldSeries

Another 59,000 @Teslas being recalled over a software glitch affecting the vehicle’s Emergency Call safety system… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

Join us in the premier #tech destination of #Austin this November 2-3 for our next #IoT event. Connect and collabo… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

SoftBank, May Mobility Team on Autonomous Driving dlvr.it/STJrW0 https://t.co/mOYoBsgs14

4th July 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X