Who’s Responsible For IoT Security?

Smart technology is what makes ordering by voice and remotely monitoring your home possible. Promising as intelligence of things (IoT) solutions are, though, security has been a stumbling block.

The June IoT Tracker explores the latest advancements in IoT security and new applications of smart technology.

According to the tracker, the global IoT security market is expected to increase by a 35.5 percent CAGR from 2019 to 2026.

Even so, alarming reports keep surfacing. Among them:

A GPS tracker, called Pebbell in some markets, was recently revealed to allow real-time location tracking and the ability to listen in on the built-in microphone by sending SMS messages.

A security flaw was discovered in the iLnkP2P software system that is installed in millions of security cameras, doorbells and baby monitors. Hackers could access devices, eavesdrop, and conduct credential theft and takeovers remotely.

And a new variation of the Mirai botnet that targets smart TVs and wireless presentation systems was recently discovered.

These incidents raise questions as to who’s responsible for IoT security.

Some blame manufacturers for not requiring users to set up a PIN or passcode on devices, as was with the case of Pebbell’s vulnerability.

Others blame users for not securely implementing the technology.

At the recent IoT conference and expo Internet of Things World, enterprise leaders were surveyed about their top concerns. Security was cited by one-quarter of attendees.

The most popular solution (68 percent) was regularly updating firmware and software to secure their ecosystems and nearly half (43 percent) are physically checking devices for vulnerabilities. Roughly one-third (35 percent) are using data decryption by default.

In some circumstances, the government has stepped in. Last year, the state of California passed an IoT security law, SB 327, which is set to go into effect January 1, 2020. The law requires manufactures of smart devices to provide “reasonable” security features, which means that every device must be given a unique password by default or require users to set their own upon activation.

But some, like Prasant Mohapatra, professor of computer science and vice chancellor for research at the University of California, Davis, think these legislative safeguards are inadequate. “Most IoT devices are … used by people who … may not have adequate technical expertise to handle [them],” he explained. “People using home security systems will not be technically aware of the security loopholes. So, we need policies to safeguard common people,” he said.

A national privacy law hasn’t become a reality as yet, though that is in part because there isn’t a consensus on how strict it should be.

IoT security has been a major concern for the Z-Wave Alliance developer consortium, founded in 2005, well before the current ubiquity of IoT devices. The Alliance was founded on supporting expansion of Z-Wave and the continued interoperability of devices that utilize Z-Wave.

Z-Wave Alliance’s executive director, Mitchell Klein, would like to see a federal rule on smart device security legislation. He is also of the mind that responsibility for security shouldn’t fall on consumers. “To rely on a consumer to come up with and remember a highly complex password? The masses aren’t going to do that, and we’ve seen it,” he said. “[The responsibility] should be with the service provider or device maker. They’re the ones that should ensure the security. But we all know that [providers have] some self-interests that may not serve the general public the way they should,” he said.

While much of the security focus has been on consumer-facing IoT like baby monitors and smart dog houses, the technology has also been adopted by the agricultural industry and the logistics and supply chain sector and poses a whole different set of problems.

A study of the transport and logistics sector found that of the 125 companies surveyed, nearly two-thirds said their cybersecurity processes could be stronger, but only 38 percent had invested in new security technologies.