In today’s world everything is connected. Turn on your crockpot from your phone while you’re standing in line at Target. Check on your sleeping baby while you watch a movie. Though these modern conveniences are great, the interconnectivity of these devices—the Internet of Things (IoT)—is fundamentally unsecure.
IoT Security in the Public Spotlight
Back in September, we discussed IoT security issues that still needed to be resolved. Since then, security in the IoT has gained a lot of attention from national media and is moving into the public spotlight.
CBS News talked about the IoT in a recent 60 Minutes segment. Correspondent Lesley Stahl was instructed to drive a car around a parking lot while an on-site hacker tried to gain access to the car’s computer systems.
In (what seemed like) a few minutes, the hacker had reprogrammed the software for car controls and started commanding the vehicle from the computer. He gained access to the horn, brakes, acceleration, and even the windshield wipers. It was laughable at first but quickly turned frightening.
Home automation and monitoring hacks are also becoming commonplace. BMW patched a security flaw a few weeks ago that could’ve allowed hackers to open doors for over 2 million cars. This week a Senator from Massachusetts released a report covering the security and privacy gaps in the car industry.
This is an exciting time for innovation, but the IoT environment is unique and growing at a rapid pace. There are still topics that need to be addressed—particularly surrounding user privacy and security.
Security Solutions: New Technology or New Restrictions?
With security issues in the Internet of Things gaining more attention, many organizations are attempting to create solutions either through new technology or new restrictions.
This change in attitude toward IoT security has even reached the government. Just last month, the Federal Trade Commission released a report urging consumers and manufactures to consider security and other safeguards.
For now, the Commission is focused on initiatives such as law enforcement, taking action on actors that are in violation of laws that apply to IoT, consumer and business education materials, stakeholder groups who discuss guidelines, and promotion protections through advocacy. The report covers three main areas:
The FTC urges companies to build security into devices from the beginning. Companies should conduct privacy assessments and consider risks associated with collection of consumer data. Built-in security features should be tested before taking the product to market, and companies should also ensure internal security practices promote good security.
In short, data minimization reduces potential harm associated with data breaches. A major IoT concern surrounds consumer information collection, distribution, and use. The Commission urges companies to impose reasonable limits for collection of data. For example, collecting a zip code instead of an exact geolocation.
Collecting data for future marketing and product development should be balanced with limiting security risks for users. Companies should also scrutinize how long consumer data is retained and consider collecting de-identified information.
Notice and Choice
Consumers should receive notice about data collection and choices in order to make informed choices. For example, companies could offer information collection options at point of sale, during tutorials, during setup, etc. Don’t bury notices in long documents; keep information clear and prominent.
PKI and IoT Security
Not only should consumer information be stored securely once collected, but the entire IoT environment should also be secured for ultimate protection at every stage of the information exchange process.
SSL Certificates and public key infrastructure can be used to securely exchange information on IoT devices, and provide solutions for the currently unsecure Internet of Things.