Users Can Secure Their IoT Devices; But Will They?

On an increasingly massive scale, cybercriminals are repurposing connected Internet of Things (IoT) devices installed within our homes. These hackers use malware to enlist our smart thermostats, speakers, lights, and more as soldiers for their botnet armies – used in coordinated massive attacks causing security breaches that threaten the integrity of the internet.

They’ve used these IoT botnets to target major websites and even forced entire countries to go offline. With the IoT primed for exponential growth through the next decade, the inherent vulnerabilities of these smart devices – combined with the capabilities of IoT-based botnets – create formidable cybersecurity challenges and risks.

I believe that the party best positioned to prevent or stop malicious attacks is the consumer. Those who use IoT devices in their own homes have the power to vote with their wallets, and could choose to buy devices with more effective security. However, without awareness of the risks posed to other parties, or direct impact upon their own individual use, why would consumers change their behavior?

Currently, most consumers have little or no awareness when their IoT devices are compromised or exploited. In the eyes of the consumer, as long as the IoT devices perform their intended function, the consumer literally “sees” no real problem.

Conversely, website hosting companies, operators, and other entities attacked by these IoT botnet armies are highly motivated to address the issue of unsecured IoT devices. But, in most cases, they lack the resources to mitigate botnet attacks, or the influence to make manufacturers provide better device security.

The current level of IoT device security varies. While some higher-end household appliances like smart refrigerators may incorporate more robust security features, many lower-end devices like lights and thermostats have no security measures in place – and most lack a user interface to manage the device.

As the IoT market continues to swell – Cisco estimates 15 billion IoT devices today, IDC/Intel foresees 200 billion such devices by 2020 – the vast majority of these internet-connected gadgets are of the low-end, low-priced, low-security variety.

Customer demand continues driving these manufacturers to emphasize time-to-market and user features (rather than security), meaning the problem and risks will only worsen.

The rapid introduction of billions more connected devices, with little attention to security and in most instances no ability to add security features later, opens the door for cybercriminals to easily grow massive botnets. These botnets can be rented to the highest bidder for everything from DDoS attacks, to simulating human behavior for ad fraud, to any other malicious use they may serve.

While IoT device owners largely remain unaware of the crimes their toasters and light bulbs may be perpetrating, the companies, countries, and websites being targeted and shut down through massive DDoS attacks are all too aware of the issue. Every minute these entities are offline directly translates into lost revenue opportunity and damage to their reputations. Manufacturers may not currently feel pressure to improve their IoT device security features, but it’s easy to understand that website owners and hosting operators cannot allow the status quo to continue.

Given the rapid pace of technology and the level of sophistication prevalent within the hacking community, I don’t place much faith in a regulatory-based approach to a solution. Instead, these are the steps toward a secure IoT that I predict will occur. First, website owners and hosting companies will seek to stop botnet attacks at the point of their own connections to the internet.

However, their attempts will only be minimally successful, for many of the reasons stated above. Next, website owners and hosting companies will try to pressure ISPs – local telcos, communications service providers (CSPs), and cable companies (like Comcast or Cox in the US, Sky in the UK, and others) – that provide bandwidth to IoT devices used in botnet attacks. As a result, the ISPs will be made to address the issue.

One possibility will be to introduce “metered” broadband, making consumers responsible for increased costs due to botnet-related IoT device activity. Another alternative is for the ISPs to send warning notices when their IoT devices are used in attacks (or even just represent a risk) – and to disable connectivity to those customers if botnet traffic persists.

When consumers are faced with the responsibility, and perhaps even liable for the malicious activities of their IoT devices, and when ISPs block compromised devices from the internet, we can then expect consumers to place an emphasis on security features when purchasing an IoT device. Manufacturers will produce what the market demands. This will be a major stride toward the safer, more secure IoT and internet necessary for each to succeed and thrive in the long term.

What’s Hot on Infosecurity Magazine?