https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

IoT security

Why IoT Security Faces Similar Challenges to Gun Control

Top-down security controls that interfere with usability can spark opposition.
  • Written by Brian Buntz
  • 15th March 2019

Let’s compare, for a moment, Internet of Things devices to guns. To be sure, the comparison is an imperfect one, but the prospect of securing IoT devices — along with traditional computing devices — bears a certain resemblance to gun regulation. Both guns and IoT devices have clear legitimate uses, but potential for misuse. The volume of guns and IoT devices in circulation has considerably increased in the past decade. Furthermore, IoT devices can be weaponized — and in the case of critical infrastructure, industrial environments and autonomous cars, they can pose a safety risk. But top-down approaches to address insecure IoT devices and gun violence are at once challenging to implement and can fuel debate as to the best means to address them.

Top-down approaches for cybersecurity can lead to increased product and technological deployment costs. And while they can decrease risk, they can often interfere with usability. As with gun control, such measures can spur pushback from device users. For instance, New York resident user Jay Brodsky filed a class action lawsuit against Apple for coercing users into using two-factor authentication. Brodsky argues in the filing that users should be able to decide for their own security level, enabling them to “freely enjoy and use” their devices.

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

A similar example can be found when the smart home company Nest recently made headlines after a California family with a Nest camera received a warning through the speaker in the device warning of a bogus North Korean missile attack. Nest parent company Google responded to this and other similar breaches with this statement to Mercury News, which first published the story: “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of security risk.” Google also revealed it is “actively introducing features” to force users with compromised passwords to update them. The company is also offering features for account monitoring while keeping tabs on users who exploit credentials.

The parallels between IoT security and gun control are fairly clear. But in another regard, Nest and other IoT technology providers are in a similar position as medical professionals rationally arguing to anti-vaccination advocates that vaccines are in their best interest. Two-factor authentication is somewhat analogous to getting a booster shot. Sure, it’s unpleasant in the short term, but it beats getting the measles — or getting hacked. But as with vaccinations, even a small percentage of people who chose to view cybersecurity as an infringement to usability can make the entire ecosystem less secure.

“How much blame can you put on Nest because they want to be in the market and sell a product?” asked Chester Wisniewski, principal research scientist at Sophos. “If they force people to put two-factor on their cameras, then some people would stop buying these cameras because some people are that stubborn about not doing something to protect themselves. Where do you draw the line on these things?”

Wisniewski recounts asking a chief information security officer at a credit union why the company offers two-factor authentication. “And he said: ‘It’s just a math thing when you are a business offering a product.’” It could potentially be expensive for the organization to implement, but it could theoretically reduce the cyber-risk profile for its customers if it were mandatory. But the very people who ask for two-factor authentication tend to be the ones who are security minded, who already have secure passwords. “The people who are most likely to be hacked are the people who don’t care. And they wouldn’t turn [two-factor] on if it was optional,” Wisniewski said. And if the credit union made two-factor mandatory, Wisniewski suspects that such users would simply find a new bank that didn’t require it.

“This is actually the story of IoT writ large,” Wisniewski said. Both end users and manufacturers play a role in creating an unsecured ecosystem. According to Wikipedia, “123456” and “password” have been vying for the dubious title of being the most-popular passwords since 2011. A number of manufacturers have been similarly lazy in their use of, for instance, “admin” as both the default username and password for networked devices such as routers, IP-connected cameras, networked industrial hardware, connected medical devices and other IoT devices. The widespread use of default usernames and passwords — and the fact that few companies have forced users to pick new and secure replacements for them, helped feed the 2016 Mirai botnet, which enabled an army of connected routers, surveillance cameras, DVR devices and other gadgets to lead cause prominent websites such as Reddit, Netflix and Airbnb to be inaccessible for many users, primarily in the United States. In the IoT world, Mirai was something like the 1999 Columbine High school shooting — a headline-grabbing event with the seeming potential to drive more stringent security across the landscape. But the Columbine shooting and the Mirai botnet provided a template for future attacks rather than kick-start a new security template. The 2019 Nokia Threat Intelligence Report notes that “IoT botnet activity has increased substantially since the introduction of Mirai in 2016” with many IoT botnets building on Mirai’s source code, which was made open source in October of that same year.

Returning to the comparison between IoT devices and guns, industrial organizations — especially utilities and energy firms — are in some respects similar to the military. They have defined procedures for procurement and training users to operate equipment safely and they have the clout to influence whole ecosystems.

“With the industrial IoT, a lot of the market is driven by a few very large purchasers who can kind of dictate what the product space is going to look like, at least for their new acquisitions, Wisniewski said. If, say, an oil-and-gas company is spending half a billion dollars to rebuild part of a refinery, they are likely to force its suppliers to meet a defined security threshold. Wisniewski said this growing security awareness among prominent industrial firms and government organizations like NASA is having a trickle-down in the industrial IoT ecosystem.

While there is growing movement toward IoT-security–related standards, best practices and regulation such as a California law that would raise the bar for devices sold in the state beginning in 2020, instituting sweeping changes to the IoT security ecosystem across the entire world could be as unlikely as passing significant changes to U.S. gun laws. One possible response from IoT manufacturers to California’s upcoming IoT legislation is to simply stop selling products to citizens in the state. “The truth of the matter is, we can’t tell the whole world they can’t have an insecure camera, and that means we still have a problem when we’re talking about denial of service,” Wisniewski said. “To solve this, you have to fix it within the supply chain, so the incentive needs to somehow affect the manufacturers of these things in Malaysia, China, Taiwan or wherever they are made.”

“I think one of the ways we might see progress is in international trade treaties,” Wisniewski said. “If the WTO and others can make cybersecurity a priority and decide on international standards [for IoT devices sold throughout] the world, that could be a pressure point.”

Tags: Security Features Opinion

Related


  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.
  • Securing IoT at the Edge Is Key to Safe IoT Operations
    With unsecured IoT devices at the edge, IoT environments are vulnerable to malicious threats that disrupt operations.
  • Building a Foundation for AI in Cybersecurity
    Making effective use of AI in cybersecurity demands a careful approach.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Developing a Critical Infrastructure Cybersecurity Strategy
  • Addressing IoT Security Challenges From the Cloud to the Edge 
  • Why IoT Certification Could Boost Your Career
  • Cybersecurity Crisis Management During the Coronavirus Pandemic

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Smart Manufacturing With IoT

4th December 2020

Ensuring Safety & Security of Pharmaceutical Supply Chain: A Case Study

4th December 2020

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Real Cyber Threats and Best Practices Cyber Security Strategy and Solutions for Smart Manufacturing

1st December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

At #CES2021, @verizon touts #5Gconnectivit as the key to digitization in pandemic times. But experts say there are… twitter.com/i/web/status/1…

12th January 2021
IoTWorldToday, IoTWorldSeries

The #privateLTE market is due to grown, given increased needs for #networkperformance and #networkbandwidth.… twitter.com/i/web/status/1…

12th January 2021
IoTWorldToday, IoTWorldSeries

As #IoTdevices and #IoTdata proliferate at the edge of the network, IT pros need to take these steps for… twitter.com/i/web/status/1…

11th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X