Hacks happen almost on a daily basis, if not every minute of every day.
In fact, some say that every single Fortune 500 company has been hacked. But with rise of connected homes, these hacks will be very personal. Someone will hack into your living room, someone will hack into your baby monitor, and someone will take over your smart TV.
Theres’s a simple reason why these hacks will keep happening. Actually, there are several reasons. Here are seven:
1. MVP, also known as Minimum Viable Product.
The point of MVP is to build something fast and then put it on the market and then learn how well your product works from customers who bought it. As the feedback comes in, maybe the developers iterate. Maybe they pivot. Needless to say, there is tremendous pressure to release a MVP as soon as humanly possible. As the team is spending all their waking hours getting the product released, do you think security and privacy gets much attention? Too often, the answer is no.
2. Ease of use and “coolness” trump security.
Another problem usability and coolness almost always trumps security when new products are being designed. In most cases we’re talking about simple tradeoffs: do you ask the user, for example, to create a strong password during the setup process? By skipping this step, the setup process will be shorter and smoother. Often, the urge to get customers into the door leaves security doors wide open.
3. Security experts can be damn hard to find.
Let’s say you’ve been making thermostats for the past 50 years. For nearly all of those 50 years, that thermostat was not connected to the internet and customers didn’t control it with an app. Security and privacy were not issues. At least not online security and privacy. The IoT is obviously different. Modern thermostats connect to the internet, perhaps to an IoT hub, and they may be controlled by a smartphone. Clearly engineering teams need new talent with a focus on cyber security and how to manage customer data. But this talent may not come cheap — and with an estimated one million cybersecurity job openings, these experts are hard to find.
4. Ship fast — and forget it.
Anyone who has ever shipped a product knows the joy (and relief) of releasing new products quickly. Immediately after the first product is released, you start working on the next one. Then the next one. Customers don’t, however, always buy all of the latest and greatest models — even if we want them to. Customers probably expect that a connected thermostat, for example, will stay put for the next 3, 5, maybe even 10+ years. The question is, will the vendor keep updating the software on the first generation thermostat? And even if they do, will their best and brightest people working on the 11th generation product? The “Ship and forget” mentality leaves customers with devices that are running several years old software. Hence, these devices might have severe security flaws.
5. YOU, the user.
Even if an update for your 11th-generation thermostat is available, would a typical customer go through the hassle of updating dozens of IoT devices that people may end up with in their homes? Would they have the energy? Would they have the skills? Would they bother to change the default password on their new gadget? No matter what manufacturers do, the customer might still be the weakest link when it comes to securing various IoT devices.
6. Complex supply chain.
What’s the hardest part of delivering a new IoT device? Suppliers and partners who let you down! Very simple: you built a great product and yes, you cared about security and privacy…only to find out that your manufacturer got hacked several years ago. Thus every device leaving their factory is already compromised. Or maybe the cloud vendor you used to store valuable customer data didn’t bother to secure its cloud. You don’t just have to trust the vendor you’re buying an IoT device from. You have to trust everyone they do business with.
7. Cybercrime as a service.
Now you get it. Securing IoT devices can be extraordinarily complicated. So let’s add one more factor. Almost anyone with an internet connection can become a hacker. Just a few YouTube videos can teach you the basic skills. And for people who want to take this to a new level, there is the dark web. On the dark web, anyone can buy exploit kits and pay with bitcoins. And these cybercrime providers often offer the customer service is actually better than most cable providers! Why would someone bother to get into hacking? The same reason people rob banks: Money. Some believe that ransomware — which hold people’s files hostage — will move from computers to IoT devices. Imagine the value of the data your connected house will collect. How much would you pay to get that back?
Does this mean that we’re doomed? Should you put your IoT shopping sprees on hold?
Well, phones and computers get hacked all the time and we don’t give them up. Why? Because they can make our life better — and so can the IoT.
But should you pay more attention when it comes to buying devices and connecting them to the internet? Yes. Should you go through the hassle of using unique passwords and making sure you update the software on your various devices? Yes, absolutely.
And if you want to take the next step toward a IoT security, consider F-Secure SENSE. It may be exactly what your connected home is missing.
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018