Is lax consumer attitude piling up IoT risk?
Internet of Things, or IoT, is the third, natural wave of progression in the development of the Internet. People all around the globe are already using the IoT, enjoying it, and expecting to see more convenience and utility from it. IoT is definitely popular, judging by statistics that note 5.5 million devices got connected every day in 2016, and that number is only expected to grow.
While IoT is used by businesses, industries, and service organizations, its biggest adopters to date are consumers. It is therefore unfortunate that a general disregard of IoT security awareness exists amongst end users, where people seem to either lack basic knowledge about securing their devices, or simply not care much for it.
In a recent IBM Security survey about consumer awareness of ransomware, one of the insights received from over 1,000 respondents revealed that consumers were least worried about protecting wearables, car navigation data, home devices, and connected cameras. For example, less than 5% of consumers said the security of their wearables was a top concern, compared to 64% who cared about their mobile devices.
Consumers rank importance of securing devices; IBM survey
On the top-10 list of devices consumers would care to protect, IP cameras ranked 7th, which stands in contrast to these cameras' popularity, and their vulnerability to attacks by IoT malware. Take the Mirai botnet as an example. Mirai amplified its attack power by preying on poorly secured connected cameras. Mirai also managed to leverage other home devices, like DVRs, to make its DDoS attacks bigger and badder – those home devices ranked 8th on consumers' minds to protect. Is the overall attitude consumers have about IoT security amplifying the risks? The way things stand at this time, it is.
A Poisonous Mix
Not ranking IoT devices high on a shortlist where smartphones, laptops, and personal computers are the top concerns, is part of a bigger IoT security problem. It's one thing that consumers don't see the dire need for a security layer, but it's another thing that vendors don't see it, or choose to ignore it, likely because consumers don't pressure them on security.
Perhaps the most common example here is the age old ‘weak password' culprit. Many IoT devices come with basic or default passwords that people don't bother changing, or worse yet, can't change because firmware is not making the interface accessible to non-tech users.
As a result, botnets like Mirai and BashLight were able to automate simple tactics, like dictionary attacks, on consumer grade devices and easily turn them into parts of mega botnets that attacked some of the largest service providers in the world.
The Time to Act is Now!
The neglect of IoT security at this day and age shows us the gaping holes not in technological ability, but in mainstream attitude about information security. Security layers and proper interface for IoT devices should have relied on tested security practices from other technology realms, and built into devices from the very beginning. The way things look, we may just be late to the game, seeing IoT-specific botnets and IoT threats already running wild in the same types of venues where banking Trojans and other Internet-borne malice come from.
The high time to act is now, starting with awareness, and on to vendor pressure and regulation in order to stop IoT threats before they become another security area we fight daily to contain and mitigate. In my next blog, we'll examine enterprises perspective on IoT Security, what the weak points are and what practical steps can be taken to improve the security of IoT apps.