IoT security risks need immediate action, says report

The security failings in today’s internet-connected devices will only become more pervasive unless action is taken immediately, according to industry experts

In its current form, the internet of things (IoT) represents a considerable threat to consumers, a report by the Cyber Security Research Institute warns.

Inadequate regulations on security and privacy are at the heart of the problem, according to experts interviewed for the report, Internet of things: pinning down the IoT, sponsored by security firm F-Secure.

To avoid a “predictable descent into a dystopian future”, the report recommends swift action, saying that with the number of connected devices now probably exceeding the world’s human population, the IoT is already nearly inescapable.

Millions of connected devices have already been compromised to be used a part of the Mirai IoT botnet, but the report notes that many IoT device users are not aware of the inherent risks of their connected devices and that manufacturers often rush products to market without considering basic security requirements and settings.

Threats associated with IoT devices include digital burglary and surveillance. Hacking groups have already proved themselves adept at using freely available analysis tools to discover flaws in devices and turn them into botnets. When it comes to surveillance, the report said the greatest danger is that without rights and protections, users are at risk of becoming a component of the IoT instead of being in control of it.

“IoT devices could potentially be turned into eavesdropping mechanisms that capture biometric data like fingerprints, voices and faces that access and control them,” the report warned.

This situation could create an even more frightening scenario than the UK tabloid newspapers’ “phone hacking” scandal, due to a massive adoption of insecure IoT devices, the report said.

As millions of new connected devices come online every day, the report said IoT device users are still generally aware that their new “smart” appliances will go online, but warned that the “lust for consumer data” could change that in the future.

Read more about IoT security

According to Mikko Hypponen, chief research officer at F-Secure, almost every household device will eventually be online.

“And they will largely be invisible to the end-user as a smart device,” he said in the report. “They will look like dumb devices, but they will be smart devices, though they won’t offer any features to the consumer because the real reason for them to be online will be for them to report home and report analytics to the company that built the device.”

The report noted that it is already difficult to find any model of some devices, such as televisions, that do not connect to the internet.

The laws of supply and demand have not yet yielded an IoT that is built for the future, the report said. If consumers are not demanding security, manufacturers will never make security a priority,

But given the extraordinary dependence society is likely to develop on billions of IoT devices, governments may have to step in to demand security requirements, the report said.

In the report, Michael Barton, chief constable of Durham, said there needs to be regulation. “I am fighting shy of heavy regulation here, but you can’t sell toys with pins in them so that children are blinded,” he said. “You can’t sell cars where the brakes work intermittently. Nor should you be able to sell something on the IoT that allows people’s bank accounts to be emptied.”

As well as educating consumers about the risks of existing IoT devices, as the US appears ready to do, the report said governments also need to address the quality of technology being put in consumers’ hands and homes. Product manufacturers should be regulated to ensure products that come to market do not lack security or privacy measures, the report said.

Read more on Hackers and cybercrime prevention