Internet of Things security woes: Can smarter consumers save the IoT from disaster?

If consumers become aware of the risks of insecure IoT devices, they could prevent cyberattacks.
Written by Danny Palmer, Senior Writer

The reach of the Internet of Things (IoT) continues to grow, with an increasing number of workplace and household devices now featuring embedded internet connectivity.

Televisions, kitchen appliances, toothbrushes, children's toys, and more are shipped with internet connectivity, whether that's to improve the device, or to simply provide the manufacturers with more data. In may cases, users may not even know that the product is even connected to the internet.

That can lead to problems, however, because many IoT manufacturers ship products with minimal -- if any -- built-in security, as they rush to release items into a growing market.

Time and again, these devices have been maliciously exploited by cyberattackers to launch DDoS large-scale attacks, expose personal data, or as an entry-point for hacking into the wider network.

Industry bodies and governments are attempting to determine rules and regulations in order to ensure the security of devices, but there's an important factor which must be taken into account in order to boost security: the users.

There's still a lot of work to be done to improve general understanding of security, and many people don't think twice about giving up personal data for minimal benefit.

"On an individual level, people are still willing to trade their data for a picture of a dancing cat or a free app," said Robert Hayes, senior executive at cybersecurity training provider root9B, speaking at a Royal Society forum on the opportunities and risks surrounding the IoT.

"We've got to help people understand what this trade-off actually is. Because you can put all the technical controls in, but if people keep clicking yes, then the technical controls won't work."

People need to education about trust and the IoT, Hayes said. He proposed that if customers don't fully trust the security of a certain product, they shouldn't connect it to their network.

"Unless you have demonstrable proof that you can trust the hardware and software that you're connecting to, you should treat it as untrusted and you should have mitigations on your network that can limit its ability to do things," he said.

In terms of providing that education, more needs to be done.

Dr Irina Brass, lecturer in the department of science, technology, engineering and public policy at University College London, said it must be a joint responsibility by governments and private organisations, especially as the rise of IoT could fundamentally alter how many aspects of society work.

"More needs to be done in educating and communicating basics about security, what security means to their citizens and customers. There's a combination here of quite interesting opportunities with new forms of social contracts which might come out of this where we could communicate and educate the population," she said.

Professor Chris Hankin, director of the Institute for Security Science and Technology and professor of computing science at Imperial College London, shares the idea that education is key to improving security around the IoT.

"A politician previously used the phrase 'education, education, education' -- and I think education is at the heart of the answer," he said.

Companies producing internet-connected items should have developers trained well enough to build products which don't contain known issues, but it's important that consumers become aware enough about IoT devices so as not to even buy insecure devices, instead opting for those with good security.

"In terms of the smart home, it's about educating the whole population so that we can be informed consumers and ask the right questions before we deploy these sorts of things," said Professor Hankin.

The theory is that security will become another tick on the checkbox of buying an item - people wouldn't buy a kitchen appliance if it was a known fire risk - and many in the security industry think good cyber security should be on the 'must have' list when considering a new purchase.

Ultimately, if people become so attuned to security being something they need to look for in a product, then those which don't offer it will have to adapt or risk their product being a flop -- even if they are cheaper.

There's still a long way to go -- IoT security incidents are still depressingly common -- but Professor Hankin believes that steps are being made in the right direction to boost consumer awareness around IoT security.

"I'm optimistic the situation will improve and I think education is the heart of the answer," he said.


You wouldn't buy a kitchen appliance if it was a fire hazard, so why buy an IoT one if it's a security risk?

Image: Nikita Sobolkov, Getty Images/iStockphoto

Previous and related coverage

Special Feature: Cybersecurity in an IoT and Mobile World

The technology world has spent so much of the past two decades focused on innovation that security has often been an afterthought. Learn how and why it is finally changing.

Ten best practices for securing the Internet of Things in your organization

A successful IoT deployment must consider proper cybersecurity at the outset. Here are some IoT security tips to get you started.


Editorial standards