How To Make 2017 the Year of IoT Security
Views: 71

People who make Internet of Things (IoT) devices still aren’t getting the message on security. And as these devices proliferate, the danger of increased attacks is getting more real.

Late last year, popular internet services such as Netflix and Twitter were temporarily taken down amid a massive distributed denial-of-service (DDoS) attack that involved hackers deploying malware to simple webcams that many of us use without thinking. Authorities in the U.S. and U.K. were investigating the Mirai malware used in the attack to create a botnet, an army of zombie devices commanded by hackers. In fact, the Mirai code is still available online, allowing those with only modest technical skills to continue disrupting internet services on a major scale.

IoT threats aren’t limited to things around us – they’re also inside us. The U.S. Food and Drug Administration (FDA) recently confirmed the existence of flaws in implants and transmitters made by a major U.S. medical device company. These transmitters are connected to the internet and designed to automatically monitor patients with implanted cardiac devices while they’re sleeping. The FDA disclosed that the transmitters have security vulnerabilities that allow them to be hacked in dangerous fashion.

Matthew Green, who teaches cryptography at Johns Hopkins University, pointed out that the devices don’t use strong authentication. He also speculated on the nightmare scenario of hackers accessing thousands of these devices and simultaneously sending commands to shock the hearts of unsuspecting patients. He suggested the only remedy would be a costly firmware fix.

I really believe that if we don’t focus on security, IoT will mean the “internet of threats,” or worse, the “insecurity of things.” That would be a disaster for the burgeoning IoT industry, which is expected to be worth some $1.7 trillion by 2020, according to IDC. We have to make 2017 the year of IoT security.

Some IoT engineers are waking up to this problem. Observers such as Professor Shiu-Kai Chin of Syracuse University's online Master of Science in Cybersecurity are calling for a system of certified security by design for IoT devices. Safety certification company Underwriters Laboratories (UL) has a new Cybersecurity Assurance Program (CAP) that also seeks to mitigate security risks in devices connected to the internet. If this movement gains ground – and it must – I can imagine a future in which your internet provider would shut down your online activity if any of your devices is found to be infected with malware, or simply not up to standard. This would be a kind of digital quarantine that could dramatically reduce malware attacks, which can cost industries hundreds of millions of dollars in lost revenue.

Standards could also apply to software and service providers. Responsible companies that provide regular patches or updates for their products could receive preferential rankings based on the number of days since the last update, to suggest just one relevant metric.