IoT security: Why it will get worse before it gets better

IoT brings opportunities but it also brings cyber security risks - some of which have barely been thought about.

There are billions of connected devices in use around the world, in our homes, our offices, even inside our bodies as medical devices are connected to an ever-growing internet of things (IoT).

Vendors rush to add to the range of devices available, with many looking to gain a hold in the market as quickly as possible, delivering cheap, easy-to-use devices into the hands of users.

But this rush to market often comes at a cost, with cyber security often given little or no thought as manufacturers look to be the first to offer connected devices. That has often led to devices hitting the market and selling in large numbers of units, only to be discovered to be completely insecure.

Devices ranging from IP cameras, to children's toys and smart home hubs have been found to contain significant vulnerabilities which can be exploited to spy by using the IoT device as an entry point into the wider network for committing other cyber crimes. The sheer number of insecure IoT devices on the market was also a key factor behind the Mirai botnet attack of late-2016, which spearheaded a massive Distributed Denial of Service (DDoS) attack that affected large sections of the internet.

That incident showed the damage insecure IoT devices could do -- and governments around the world have since started examining how to ensure connected devices are better secured.

Last month Europol, the European Union's law enforcement agency, and ENISA, the European Union Agency for Network and Information Security, held their IoT security conference at Europol's headquarters in The Hague, The Netherlands to discuss the problem with industry -- and how to go about securing the IoT, before it's too late.

"There are many exciting opportunities for our citizens, for digital society, for businesses and also a massive economic opportunity for Europe to take part in this," says Wil van Gemert, deputy executive director of operations at Europol on the IoT. But there are already signs that things could get worse.

"There's also criminal opportunity because of the Internet of Things. We've seen some examples of this, but the real potential is yet to materialise," he says. "It's a matter of time before a shift towards a proliferation of IoT-related attacks."

One of the major problems with IoT security is that users often have no idea that their device has been hacked or infected with malware -- or that this can even happen.

SEE: What is the IoT? Everything you need to know about the Internet of Things right now

In many case, devices will be bought, plugged in and simply forgotten about. They won't receive updates, they won't have default passwords changed and nobody is going to notice if their smart-kettle is being used to conduct DDoS attacks, or that it needs security in the first place. Criminals know this and are keen to exploit it.

"Hyper-connectivity also means hyper-threats. It means threats to security which are bigger, faster, smarter. So like with every new positive development, there comes a dark side and the challenge is that these threats can propagate in scales and with impacts that were unprecedented before," says Miguel Gonzalez-Sancho, deputy head of unit for ICT for Inclusion at the European Commission.

IoT security is a "very serious area" for the European Commission, he says, arguing that cooperation across the European Union is key to solving the issue.

"Capabilities on cyber security differ across the European from one state to another, from one sector to another -- which makes us vulnerable as a whole union. We need to become more cyber resilient and provide a better response to cyber attacks. Cyber security is now on the top level of the European agenda and every state involved today," he says.

But that doesn't mean the issue is anywhere near being solved. There are already many millions of devices out there being operated by users who don't know that they might need additional security. But there are lessons to be learned here from similar predicaments in the past.

"Speaking about IoT at a conference like this unfortunately makes me feel very old. It takes me back to the mid-1990s," says Steve Purser, head of Core Operations Department at ENISA.

"What struck me is how similar the problems were we were dealing with then, to the ones we are dealing with now. We've come up with some solutions as we're running this stuff and we're running it safely and securely on the whole, we've made some leaps forward. But when you look at the essential issues of securing highly distributed systems, not a lot has changed in the last 25 years," he said.

There have been some attempts at securing the Internet of Things, proposals like the UK government's secure by design guidelines, and there are ENSIA guidelines -- but none of these are mandatory. It could be that legislation becomes the way forward in future.

"We've had a first attempt at legislating IoT, so let's see how it goes. ENISA is pushing for a soft law, best-practice approach. We favour this approach -- it's economically more reasonable, more flexible -- and at the end of the day, you can always legislate later," said Purser.

It might also mean consumers need to pay more attention in order to nudge IoT security along the right path.

"We'll need 'electronic common sense' -- somehow we need to train people to live in the electronic world in an intuitive way. When you cross the road, it's intuitive to look to see if traffic is coming -- you don't have to follow a procedure or anything, you just know what to do," says Purser.

In order to get to that point, consumers and businesses will need to be taught what to expect from a secure IoT device and to see that by spending a little extra, and not going for the cheapest product, we can help improve security for everyone.

"Traditional security is quite well known and we have good ways of dealing with it, but IoT turns that on its head and that's a problem. It introduces things in traditional structures which we're not used to, and if we don't think about it properly, they become big points of vulnerability," says Purser.

For example, someone might install an IoT security camera but not realise the poor security of the device means what the camera is watching has the potential to be seen by others or broadcast on the internet.

"People don't have the reflexes to think this is a device which is powerful and can do a number of things they haven't thought of, they just plug in and play," says Purser.

Europol and ENISA regularly run campaigns to educate the public on the issue with the idea of ensuring they're more informed when making decisions with IoT.

"If people are unaware of the threat then they're not going to ask questions regarding this. What we've got to do is raise that awareness amongst consumers, then people will start asking the questions," says Steven Wilson, head of Europol's Cybercrime Centre, EC3.

"Then vendors will design goods to a certain minimum of standard and the consumer will seek that out rather than seeking something out that's cheaper, but doesn't have security".

Part of the problem is that the economics of selling technology and the economics of security don't align very well.

"Globally, we have a very poor understanding of the economics of cybersecurity. There is a business case to flood the market with insecure devices, unfortunately -- but it works and people make a lot of money out of it," says Wilson.

The device vendors aren't the only ones making money out of the poor state of IoT security -- there are plenty of cyber criminals who are more than happy to use it as a cash cow.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The Mirai DDoS attack wasn't a one off -- compromised IoT devices are regularly used to conduct denial of service attacks; wannabe attackers can pay those who run these services as little as a few dollars to overload websites.

Even if every IoT device build from now on is built with security as a top priority, there's still the toxic legacy of devices that were released with little thought put into security -- and in some cases it might not be possible to provide updates or fixes to these products.

That in itself might mean that organisations need to examine how to change how networks operate so that older, vulnerable devices can stay connected.

"We've got a huge number of insecure endpoints. We need the development of router-level security to protect multiple end points as a fix for retrospective devices that are not or are never going to be secure," says Wilson.

But one thing is for certain -- consumers, organisations and product vendors can't just ignore this issue because IoT security is a problem which needs to be addressed now.

"For the first time I hear people talking about IoT as something of today, not something of tomorrow. This is a very good message because it's certainly not something of tomorrow, we're having to deal with it as we speak," says Purser.

"The problem if people talk about IoT as if it's tomorrow, it gets us off the hook of having to do it today -- and that can't be a good thing".

READ MORE ON CYBER SECURITY