The Hand that Rocks the IoT is the Hand that Rules the World

Written by

The corporate accounting scandals that rocked the world at the turn of the century led to regulations designed to protect consumer information and interests. In the same vein, the rise of the IoT, as well as the recent increase in cyber-attacks, has created a need for the Federal Government to develop and enforce information security regulations to protect sensitive consumer information gathered by IoT devices.  

As consumers, we use IoT devices not just for driving directions or to play music, but also to protect our children and our homes, and we let these devices gather unlimited personal data on our activities and preferences. Navigation systems know where we are, smart home monitors know when we’re not home and wearable devices know our age and weight (the horror!).

The really frightening part is that, by using these devices, we open up our families and our homes to the world and, potentially, hackers. So the question is – shouldn’t someone be policing these IoT devices? What is the Federal Trade Commission (FTC) doing to make sure that the personal information gather by IoT devices is protected? The answer is, unfortunately, nothing. 

In 2013, when I first became a parent, a man hacked into a family’s wireless baby monitor and started talking to a toddler, calling her by name and using profanity. At the time I thought to myself, I will never buy anything that allows crazies into my home (barring immediate family) no matter how much easier it will make my life. Fast forward a few years and I’ve connected an Amazon Echo Dot in my house to simplify the incredibly difficult process of playing music.

A lot has changed since 2013, and the number of IoT-connected devices has now grown to over 8.4B. Technology firms are debuting products that allow you to track your luggage, cook your dinner from a wireless device and even brush your teeth more “intelligently” (yes, that’s a thing). These new gadgets have the power to do just about anything using a wireless connection and, with great power, comes great responsibility – the responsibility to ensure that the data transmitted across these devices is protected.

There is no set of security standards IoT device creators must adhere to so, until the government implements IoT information security regulations, it’s really our responsibility to decide what information we are willing to share with the world should a data breach happen to one of our gadgets.

The growth in IoT devices has led to a larger IoT attack surface and, as such, IoT data breaches have become a lot more common in the last few years. The problem is that most IoT devices do not receive security updates, while other technologies are constantly being updated to address security vulnerabilities. Most of the time when vulnerabilities are discovered in IoT devices, they remain 'unpatched' indefinitely, making these devices prime targets for attack.

In fact, a recent survey revealed that nearly 50% of US businesses using an IoT network have been hit by an information security breach. These breaches not only allow outsiders an intimate glance into your personal life, but they also allow hackers to tamper with this information or leak it to the public. The best-case scenario is a data breach on your smart toothbrush. In a worst-case scenario, a hacker could alter the functionality of the connected car you’re driving. 

This past August, four senators introduced bipartisan legislation to ensure that IoT devices purchased by the US government meet certain security requirements. It’s a step in the right direction, but why is this legislation limited to government purchases when millions of consumers are purchasing IoT devices every day?

As a consumer, I want to know that the companies producing the IoT devices I purchase are taking the necessary precautions to protect the information transmitted across their networks. This includes developing a regular cadence for performing security updates, proactively monitoring their networks for intruders and suspicious activity, and implementing an information security policy. 

The FTC was created in order to protect America’s consumers and America’s consumers are purchasing IoT devices. With millions of new devices connecting to the internet each day, it’s critical that the FTC becomes more sensitive to IoT information security and moves quickly to implement regulations to protect consumer information transmitted across IoT devices.

In the meantime, I have disconnected the Dot after a few disturbing instances when it started talking to me out of nowhere. I can figure out how to play my own music, thank you very much.

What’s hot on Infosecurity Magazine?