Security & Privacy Concerns Created by IoT Devices

Internet of Things (IoT) devices represent a user benefit and a security and privacy vulnerability. A Gemalto study revealed only 48% of businesses can even detect a breach affecting an IoT instrument.

Dutch digital security firm Gemalto suggested given the number of connected devices set to exceed 20 billion by 2023, businesses must act quickly to ensure their IoT breach detection is as effective as possible. (According to a Zion market research report, the global IoT in banking and financial services market accounted for $159 million in 2017 and is expected to reach $2.5 billion by 2024).

The Gemalto study found some good signs. Spending on protection increased (from 11% of IoT budget in 2017 to 13% today), with almost all (90%) believing it is a big consideration for customers; and almost three times as many seeing IoT security as an ethical responsibility (14%) compared to a year ago (4%).

Gemalto, which surveyed 950 IT and business-decision makers globally, found companies calling on governments to intervene, with 79% asking for more vigorous rules on IoT security, and 59% looking for clarification on who is responsible for protecting IoT. Although numerous governments have already passed, or announced the introduction of, IoT security regulations, most (95%) businesses believe there should be uniform regulations in place, a finding endorsed by consumers with 95% expecting IoT devices to be overseen by security guidelines.

“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” Jason Hart, chief technology officer, data protection at Gemalto, said. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”

The study also revealed consumers are clearly not impressed with the efforts of the IoT industry, with 62% believing security needs to improve. When it comes to the biggest areas of concern, 54% fear a lack of privacy because of connected devices, followed closely by unauthorized parties controlling devices (51%) and lack of control over personal data (50%).

While the industry awaits regulation, it is looking for methods to address the problems itself, with blockchain emerging as a potential technology; adoption of blockchain has doubled to 19% in the last 12 months. A quarter (23%) of respondents believe blockchain technology would be an ideal solution to securing IoT devices; and 91% of organizations not currently using the technology likely to consider it in the future.

Meanwhile, businesses continue to employ other methods to protect themselves against cybercriminals. The majority (71%) encrypt their data, while password protection (66%) and two-factor authentication (38%) remain prominent.

While businesses look to governments for guidance, the Japanese government approved a law amendment allowing its workers to hack into people’s IoT devices as part of an extraordinary review of insecure IoT devices.

According to a Ministry of Internal Affairs and Communications report, attacks targeting IoT devices accounted for two-thirds of all cyberattacks in 2016.

The survey, conducted by employees of the National Institute of Information and Communications Technology under the supervision of the Ministry of Internal Affairs and Communications, will permit the usage of default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.

The strategy is to collect a list of insecure devices using default and easy-to-guess passwords, which many hackers use to infiltrate systems, and alert authorities and appropriate internet service providers, so they can warn consumers and secure the devices.

The review is planned to begin next month, when authorities propose to test the password security of over 200 million IoT devices, beginning with routers and web cameras. The NICT plans to also test gadgets in people’s homes and on enterprise networks.

Japan embarked on this plan in preparation for the Tokyo 2020 Summer Olympics. The government is afraid that hackers might exploit IoT devices to launch attacks against the Games’ IT infrastructure.

There is some precedent. Russian nation-state hackers deployed the Olympic Destroyer malware at the PyeongChang Winter Olympics in South Korea in 2018 as retribution for the International Olympic Committee disqualifying hundreds of Russian athletes. Russian hackers also constructed a botnet of home routers and IoT devices, called VPNFilter, to disrupt the broadcast of the 2018 UEFA Champions League final in Ukraine.

“Since the IoT industry is in its infancy, almost all of the devices have the potential to become cybersecurity risks. In a rush to get them into the market, most manufacturers are ignoring the security side. From this point of view, the Japanese government’s concern has merit,” Daniel Markuson, digital privacy expert at NordVPN, said.

Markuson added it is understandable why this amendment has sparked outrage in Japan. “It seems as an excessive measure, as the same results could be achieved by sending a security alert to all users or informing people via media. It is also not completely clear what other sensitive data might be collected during the survey and how it will be handled.”