By Brad Ree, CTO, ioXt Alliance
Since the inception of the Internet of Things (IoT) in 1999, connected devices have been integrated into nearly every industry, from retail to automotive and healthcare. In fact, there are estimated to be 50 billion connected devices in 2020, and this number is only expected to grow exponentially. While these devices provide many benefits, they have also been prime targets of cyber attacks due to the vast amount of sensitive data being shared. There are numerous examples throughout the years of device manufacturers and companies that have fallen victim to these attacks – all resulting in them spending a significant amount of time, money, and resources to restore their reputation and regain the trust of their customers.
One notable example in the healthcare industry is the Medtronic insulin pump hack. Medtronic, a manufacturer of healthcare devices, made an insulin pump that was able to be remotely accessed by caregivers or medical professionals to monitor and control the pumps to diabetic patients from a distance. Hackers figured out a way to gain access and control the devices from their mobile phones, which could have potentially caused a deadly outcome. This flaw impacted over 4,000 patients and was eventually recalled by Medtronic and the FDA and taken off the market, but patients remained equipped with the old devices and the brand reputation of Medtronic took a hit.
Despite companies taking precautions to prevent attacks after seeing others across industries fall victim to them, hackers continue to adapt and find loopholes and vulnerabilities in security systems to exploit. What’s more, industry stakeholders are aware companies need to prioritize IoT security, however, the motivation to uphold these standards isn’t always there because they are rushing to get the next innovative products on the shelves. After we have seen countless examples of hacks, has the industry actually learned anything from them or will they not adapt and keep repeating the same mistakes that cause the hacks?
An evolving industry and present dangers
Over the years, there has been a misalignment in the IoT industry due to the highly competitive nature to be the first to come out with the next best device. As a result, manufacturers race to get products to the market as quickly as possible, oftentimes skipping out on critical security measures. This, combined with the need to maintain the device security over the product’s lifetime, creates more risks and problematic factors for security.
Additionally, connected devices are becoming more widespread across industries, which has opened the door for experts outside of IT and technology to enter the IoT world, despite not fully understanding the industry and risks that come with it. Healthcare, appliance and automotive professionals have thrown their hat in the connected device ring to adapt their products to keep up with the demand for innovation, but don’t completely understand the nuances behind strong security. Because making connected devices is now easier than it once was, there is a higher risk of potential vulnerabilities, giving hackers more opportunities to cause damage.
The increased use of WiFi is also another factor that has evolved which can pose problems to IoT devices and make them vulnerable to hacks. WiFi access used to be a large expense but has evolved to be a low-cost implementation – making it more widely used for manufacturers. While convenient, WiFi has a large bandwidth, compared to Bluetooth, and can allow hackers to easily gain access to a device. For instance, a WiFi-connected doorbell doesn’t require the bandwidth of WiFi and is actually more vulnerable to being connected to it. If the device was connected with Bluetooth instead, a hacker would need to be in much closer proximity to the doorbell to access it, increasing the risk of being caught and making the device more difficult to hack.
Lessons learned
Though companies and manufacturers are aware that there are precautions to prevent attacks and other security issues, old practices that don’t work are being repeated and basic recommended guidelines for device security are still not being followed. Security should be accepted from device inception and not added in at the end of manufacturing to fully protect the end-users from hacks. Engineers who think, “Why would someone want to do that?” and ignore those “what if they do” questions, are leaving vulnerabilities to be exploited and putting the company at risk. By not addressing these questions, security professionals are now facing not if, but when the next attack will come.
One common issue in the industry is a lack of standards that has caused technology companies to repeatedly make the same security mistakes. But certain third-party organizations are working to directly change this narrative, introducing and enforcing global security standards and certification programs. The companies that are partnering with these kinds of alliances and accepting and adopting globally recognized IoT security standards have greater visibility into the products they are manufacturing and distributing and the confirmation that what end-users purchase can be deemed cyber safe. While this can help further mitigate security issues and future hacks from the start, much of onus is on manufacturers to actually lead the charge.
Over the years, IoT attacks have also taught us that hackers will continue to expose holes in devices and exploit data from end-users, and as the industry grows, the future of connected devices will only become more integrated into our daily lives. It’s more important than ever that manufacturers ensure that their devices are secure, not only to avoid attacks but also to prevent being the next security case study or leading headline in the news. These hacks could have more than financial implications and could take months or even years to rectify. For companies and industries looking to innovate their products, implementing security standards and taking measures from the start will ensure the safety of devices, help evolve the industry as a whole, and will save tech companies time, money, and major headaches down the road.
About the Author
Brad Ree is the chief technology officer of ioXt. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Brad holds over 25 patents and is the former security advisor chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, Brad was vice president of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.
