In a recent public service announcement (PSA), the FBI warned the public that Internet of Things (IoT) devices are very attractive targets for hackers. Separately, a recent market survey noted that very few surveyed consumers felt that they understood the nature of the IoT even though the vast majority of those same consumers owned what would be considered IoT devices. This gap in understanding only shows that unraveling the Gordian Knot of IoT security will require an approach that goes beyond technology alone.
IoT devices provide a particularly inviting set of threat surfaces to a connected society already besieged by an increasingly sophisticated black hat community. If that isn't sufficient cause for concern, the implications of a world of compromised IoT devices are even more worrisome. As the FBI warns in its PSA, IoT devices present a rich target of opportunity because hackers can typically attack them simply by exploiting weak authentication or unpatched firmware, or even just by taking advantage of default usernames and passwords. Once compromised, IoT devices in their great numbers can serve as proxies for masking illicit internet activity, quietly probing legitimate sites, or actively attacking sites in huge botnet swarms.
The FBI warns that users may find it difficult to detect compromised IoT devices, largely suggesting that users watch their internet performance and usage trends for any signs of trouble. At the same time, the FBI suggests that consumers frequently reboot their devices, change passwords, update firmware, check their firewalls, and isolate IoT devices.
All of these are of course reasonable suggestions, but it's hard to imagine that many consumers have the patience and wherewithal to configure their IoT devices, firewalls, and networks to tighten security. Even experienced engineers can make little traction on these issues through devices with models and user interfaces that too often place little emphasis on security. Putting aside these technical concerns, an even more basic question arises: If most IoT device owners aren't even aware of the IoT's implications, why would they consider that these suggestions apply to them?
In its security manifesto released last year, Arm® noted that technology providers need to embrace a social contract that implicitly exists among providers and users. All of this is true in principle. There's no doubt that users need to take more responsibility, and developers need to take steps to help protect users from their own accidents or inaction. Developers need to apply effective protection using readily available security mechanisms built into a growing number of MCUs, memory, and dedicated devices.
Even so, the responsibilities of this social contract go beyond technology. Manufacturers need to help consumers understand why their thermostats, door locks, video cameras, and other smart products are honey to the cyber bear. FBI PSA suggests the failure to take this kind of preventative action is equivalent to having ones’ car running, with doors wide open, the keys in the ignition, and piles of cash on the seats. Knowledge is a powerful thing, and sometimes the surest start to the solution of the knottiest of problems lies in realizing that a problem exists.
Stephen Evanczuk has more than 20 years of experience writing for and about the electronics industry on a wide range of topics including hardware, software, systems, and applications including the IoT. He received his Ph.D. in neuroscience on neuronal networks and worked in the aerospace industry on massively distributed secure systems and algorithm acceleration methods. Currently, when he's not writing articles on technology and engineering, he's working on applications of deep learning to recognition and recommendation systems.