https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

pitfalls

Common Internet of Things Security Pitfalls 

Sloppy Internet of Things security practices continue to dog device makers. Here are common security mistakes to avoid.  
  • Written by Brian Buntz
  • 27th July 2020

Key takeaways from this article include the following:

  • Many IT purchasers continue to distrust IoT devices. 
  • Internet of Things security concerns still constrain how users approach the technology.      
  • The situation is unlikely to improve until IoT device makers sharpen their focus on security and information governance.  

Only a minority of consumers trust the brands they use. And the Internet of Things (IoT) itself has a trust problem in the consumer sector. Privacy concerns and poor user experience have “stymied adoption and created a hesitance among users to trust IoT devices,” wrote William Webb and Matthew Hatton in “The Internet of Things Myth.”

While the adoption of smart home devices continues to tick upward, privacy and security concerns constrain their use to mainly routine tasks. The most popular smart speaker functionality, for instance, is merely playing music, according to eMarketer research.   

Meanwhile, IoT device makers continue to face pushback from consumers and regulators over privacy and security. “We’re in a situation where [IoT manufacturers] are fighting these DDoS [distributed denial of service] attacks and all different types of hacking threats that are out there,” said Dilip Sarangan, senior director of research at Frost & Sullivan.

[IoT World, North America’s largest IoT event, is going virtual August 11–13 with a three-day virtual experience putting IoT, AI, 5G and edge into action across industry verticals. Register today.]

Add to that is the public’s frustration with how manufacturers Internet of Things security and privacy. Last year, an Internet Society survey found that 63% of respondents found connected devices to be “creepy.” Three-quarters of respondents did not trust IoT device markers to respect their preferences in how data is used. 

The situation is unlikely to change until IoT manufacturers become savvier in terms of information governance. Here, we examine common pitfalls to avoid when developing an IoT product.

Believing Open Source Software Is Bulletproof

Headlines about consumer IoT devices’ insecurity have remained prevalent in recent years. Most recently, researchers discovered a series of vulnerabilities known as Ripple20 found in hundreds of millions of IoT devices that extend well beyond the consumer sector. “The Ripple20 vulnerabilities affect a vast array of critical IoT devices, including healthcare systems, power grids, smart home devices and more,” said Natali Tshuva, CEO of Sternum. 

The discovery of the Ripple20 vulnerability is not surprising, said Terry Dunlap, a former National Security Agency employee who is now the CEO of ReFirm Laws. Many IoT devices are built with open source components. If there is a flaw in any of these components, “it’s going to get spread far and wide,” Dunlap said. While open source software can provide greater oversight than proprietary software, open source security researchers and developers can’t check for every possible security flaw. 

Using a One-Size-Fits-All Approach to Security 

In 2010, when he was chief executive of Google, Eric Schmidt said that the company’s policy was “to get right up to the creepy line and not cross it.” The seemingly brash assessment highlights that technology balances between helpfulness and privacy-infringing. But consumer attitudes about privacy vary widely. 

While standards such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) prescribe similar practices, the regulatory landscape has grown more complex. “In the world of information risk, the general rule is to build to the highest standard, plan for changes, and account for the exceptions,” said Karen Hobert, an analyst at the Analyst Syndicate.   

Exaggerating Security or Privacy Features in Marketing

There’s a significant demand from consumers for trustworthy technologies. According to the 2019 Edelman Trust Barometer, roughly one-third of consumers trust most of the brands they buy and use. And when it comes to technology, “people are factoring in security promises when they’re deciding what products and services to buy,” said Ari Scharg, a partner at the Edelson law firm. While many consumers are willing to trade some privacy for convenience, they count on technology companies to keep their sensitive data safe, according to a 2019 survey from RSA.

Given that backdrop, technology companies should avoid overselling their products’ security features, Scharg said. One of the most prominent examples of how overpromising can backfire is the video platform Zoom. The maker of the platform, Zoom Video Communications, initially billed the platform as being end-to-end encrypted. But the company later admitted that that feature wasn’t initially supported. 

Blaming Your Customers for Security Problems

While security continues to be an important consideration for consumers, most lack a solid security grounding. Consumers believe “their responsibility to protect their own data is minimal, leading to lax password and information-handling practices,” according to the RSA Data Privacy and Security Survey. 

The dynamic leads some IoT device makers to respond to breaches by faulting their customers by not using secure passwords or multi-factor authentication. “As a general statement, it’s a bad idea to blame your customers,” said Andrew Howard, CEO of Kudelski Security. Security practitioners should do a better job of simplifying security for end-users and educating them, Howard said. 

Conflating Privacy with Fairness 

When it comes to information governance, privacy and fairness are both vital concepts. But they are not interchangeable. “Sometimes people conflate those two notions,” said Zulfikar Ramzan, chief technology officer of RSA. 

Facial recognition is a prominent example where the boundaries between those terms have blurred. Notable technology companies have recently backed away from plans to sell facial recognition technology to law enforcement. But the technology’s privacy-infringing potential isn’t at the heart of its controversy, according to Ramzan. The underlying issue is fairness. “If you think about it, my face is the least private thing about myself,” he said. “The real issue is if somebody takes an image of my face and uses it in ways that are questionable or ways that I might not approve.” 

Organizations that fail to consider the fair use of their technology tend to face blowback while the companies most likely to win public support are committed to transparency and consumer empowerment, as McKinsey has observed. 

Integrating Security Controls into Products

Experts continually propound secure-by-design principles, but that doesn’t mean the advice is well-heeded. The cost of grappling with security increases the later it happens in the design process. “In my own experience, it is often upwards of 10 times more expensive to build in security late [in the product development cycle],” Howard said. 

Consumer IoT devices often have thin margins, said Jack Ogawa, senior director, embedded security at Cypress Semiconductor. “If you have a smart thermostat, you might sell a few million units a year,” Ogawa said. “The majority of IoT’ things’ run at hundreds of thousands of units.” That dynamic causes many companies to use a pay-as-they-go approach to manufacturing. That fact, along with time-to-market pressures often result in cutting corners when it comes to security. 

Discounting Compliance with Privacy Regulation as a Chore

Compliance with new and emerging privacy standards such as GDPR, the Brazilian General Data Protection Law or California Consumer Privacy Act represents a challenge for many organizations. But complying with such regulations is ultimately “just good business,” Hobert said. Compliance with such laws signals to customers, employees, partners and contractors that a company is trustworthy and responsible. It sends a message that the organization has taken “steps to comply with the law and won’t run into regulatory or legal hot water,” Hobert said. Compliance also communicates that a company “actually understands what data privacy is” and “will be responsive to personal data requests,” she concluded. 

Tags: Security Features Internet of Things World 2020 Conference Coverage

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?
  • Developing a Critical Infrastructure Cybersecurity Strategy
  • Addressing IoT Security Challenges From the Cloud to the Edge 
  • Why IoT Certification Could Boost Your Career

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

The eSIM Cookbook – Towards the Next Generation of Connected Devices

22nd February 2021

eSIM Delivers Greater Freedom for OEMs – by Beecham Research and Truphone

22nd February 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

Microsoft Mesh Yields Mixed Reality Platform Potential dlvr.it/RvDJdh https://t.co/wQjq6cCPCm

8th March 2021
IoTWorldToday, IoTWorldSeries

🎤 Introducing #EIOTWORLD speaker Suresh LC, Chief Engineer at Samsung. 💻 Join his #ai #artificialintelligence sess… twitter.com/i/web/status/1…

8th March 2021
IoTWorldToday, IoTWorldSeries

This International Women's Day, we celebrate & thank the powerful women involved in #EIOTWORLD and the #IOTWORLD ad… twitter.com/i/web/status/1…

8th March 2021
IoTWorldToday, IoTWorldSeries

Zero-Trust Security for IoT: Establishing Rigorous Device Defenses dlvr.it/RvCWGQ https://t.co/SAOg0HIqeA

8th March 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @aicas_IoT — a flexible, more efficient approach to embedded realtime application… twitter.com/i/web/status/1…

4th March 2021
IoTWorldToday, IoTWorldSeries

Microsoft Ignite 2021: Innovation in COVID-19 Era Signals Future Trends dlvr.it/RtwYcg

4th March 2021
IoTWorldToday, IoTWorldSeries

At Microsoft Ignite: How IoT and Robotics Are Driving Industry 4.0 dlvr.it/Rttgwj

3rd March 2021
IoTWorldToday, IoTWorldSeries

🎙️ Introducing #EIOTWORLD speaker, Obinna Ilochonwu, Industrial IoT Architect at Schlumberger. 📅 Join his session… twitter.com/i/web/status/1…

2nd March 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X