For years, computer industry leaders have been talking about creating a seal of approval that would assure consumers that their connected devices would be safe to use on the Internet of Things, just as past generations had Underwriters Laboratories or the Good Housekeeping seal to lean on. Why is that so hard to do?
U.S. Rep. Suzan DelBene, D-Wash., says it’s because the IoT market is moving so quickly that what seems secure today may not be so tomorrow.
“There was a time when we had something more static, you could say that it’s got this particular validator on the box, and you knew that it would potentially be good for years to come,” DelBene, who co-founded the Congressional Caucus on the Internet of Things in 2015, said today at the GeekWire Summit. “How do we make sure that if something’s there, it’s really going to mean something months or years down the line, given how much things are changing?”
She and other experts on agreed that security assurances will become increasingly necessary as the number of IoT devices, ranging from webcams to smart speakers to kitchen appliances, mushrooms from an estimated 11 billion today to more than 20 billion in 2020.
There are already signs that the trend is taking hold, said Matt Wyckhouse, co-founder and CEO of the Ohio-based IoT security company Finite State. He pointed to California’s first-in-the-nation legislation on IoT security measures, which was signed into law just last week and is due to take effect in 2020. Among other things, the law will require manufacturers to build in the ability for users to change the passwords on IoT devices.
“It’s a very low bar, but it’s a starting point, right?” Wyckhouse said. Such measures could have stopped what’s widely considered the most notorious IoT security fail, back in 2016, when hackers took over 1.5 million Chinese-made webcams to create a website-blasting botnet.
Wyckhouse said the IoT Cybersecurity Improvement Act, currently under consideration in Congress, is “also a good step in the right direction.” But the biggest push may well come from wireless industry. The industry’s trade association, known as the CTIA, is making a serious push toward certification.
“Now, when devices are tested for connectivity and functionality, and get things like the Wi-Fi Certified sticker on them, they can also get different levels of IoT security certifications,” Wyckhouse said. “And so, outside of government, there are also standards that are being put in place that will allow enterprises to buy things based upon their level of security.”
Perhaps the biggest security gap has to do with how familiar — or rather, how unfamiliar — end users are with the ins and outs of IoT cybersecurity.
“When a lot of people put smart speakers in their home, they think about the functionality they’re getting, but they don’t think that maybe someone’s going to listen to them,” DelBene said. “Now, people start talking about that, so I think we’re coming into a different time.”
Franziska Roesner, an assistant professor at the University of Washington’s Paul G. Allen School of Computer Science and Engineering, said savvy users are already catching on to best practices for securing IoT devices, such as putting them on a network that’s separate from their main computer network.
Eventually, anti-hacking measures for IoT devices will probably be as much a fact of life as antivirus software and spam filters are today. But it may take some hard lessons to get the message through. You don’t want to wait until hackers take over your microwave oven, or the locks on your doors, or maybe even your underwear, and demand a bitcoin ransom.
Privacy concerns are also a biggie, Roesner said.
“How do we change as we are surrounded by devices that are essentially surveilling us?” she asked. “We’ve installed them in our homes intentionally because they give us useful features, but especially as people become more aware of the potential security and privacy risks, how does that affect how they act? Are you in your living room now, nervous about stating certain political opinions because you don’t know whether you can fully trust the security of your smart speaker?”
One market study has predicted that more than half of all U.S. households will have at least one smart speaker in the home by 2022.
“If you think about that as an attack surface, that’s terrifying,” Roesner said. “If you’re an adversary, if you could be listening to half of American households. … And if you think about that as a consumer, it does have a chilling effect on how you act in your own home.”