The last five years has seen a massive growth in devices connected to the Internet – Transforma Insights estimates that 27.8Bn connected devices will be online by 2030. The exponential rise in the number of connected devices has also heralded a commensurate rise in the number, as well as severity & sophistication, of cyber-attacks against devices, individuals, commercial entities and national infrastructure.
The first publicised hack on a connected device in the home occurred in 2013, when parents heard a strange man’s voice talking to their child through their baby monitor. As connected device adoption increases, so does the potential attack vectors and security concerns, as hackers can see the potential of more and more available data and information.
As the lines between the home and office continue to blur – further advanced through technology and a global pandemic – the risk of cyber-attacks will increase. In a study by the Internet Society, more than half (53%) of those surveyed said they did not trust their connected devices to protect their privacy and handle their information in a respectful manner. Security concerns are serious enough to deter almost a third (28%) of people who do not own a smart device, from buying one.
As a result of increased adoption and awareness around potential security threats, device manufacturers are taking notice and are now incorporating security into their designs as they seek to re-assure customers that they are focused on security and privacy.
However, there is still a long way to go, especially in enterprise environments. A recent survey of 450 global enterprises undertaken by MEF reveals that 80% of respondents view security as crucial to establishing an effective and robust IoT, including devices, network and applications, yet only 20% of enterprises feel capable of delivering a secure IoT environment.
Trust fosters adoption
IoT security considerations and concerns have led to creation of The Online Trust Alliance, an Internet Society initiative to develop the IoT Trust Framework. The Framework identifies the core requirements the manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess, and embrace for effective security and privacy as part of their connected devices.
This underlines that the biggest challenge to increasing adoption is trust. As more devices become connected, more and more data will be collected. If it isn’t handled in a way that the user expects or is vulnerable to threats, trust will be eroded, and companies will suffer significant reputational damage. This isn’t just about the individual device being protected from a security and privacy perspective. It is the entire ecosystem that needs to be secure – as the saying goes, you are only as strong, or in this case protected, as your weakest link.
When driving on a motorway, everyone must behave in a respectful manner to others and drive safely. It takes just one bad driver to cause a crash that can affect many. It is similar with connected devices. If one smart device connected to a network is vulnerable, it can have an impact on the entire network, and everything connected to it.
It’s important that the entire ecosystem recognises the need for every component to be protected. Every device from conception through to manufacturing, and the services it connects to must have security at the core.
What is driving change?
The first big shift in both consumer and device manufacturers perception was the introduction of GDPR in Europe. The introduction of the privacy law across the EU made everyone think about how they managed customer data and what others were doing with theirs.
America’s NIST cybersecurity standards for federal organisations are being adopted by enterprises. There is a proposed bill to make reporting of cybersecurity breaches, including ransomware payments, obligatory. Furthermore, China has rapidly introduced a series of cybersecurity measures very similar to GDPR, the Personal Information protection Law (PIPL)
The increased awareness from consumers and businesses caused a fundamental shift in the demand for security information at the point of sale. Cybersecurity is a major requirement for connected devices in the world’s biggest 3 markets.
The second shift for driving change is the proliferation of cloud services. The hyperscalers (e.g. Google, Microsoft, Amazon, Apple, Facebook) have been scrutinised regarding their security. The majority of data generated by connected devices is held within a cloud environment, therefore cloud providers need to have very structured and secure environments in order to ensure their customers’ data is protected and to build trust.
These companies now offer branded services to a plethora of third-party devices; which connect to the hyperscaler’s cloud, and often have their own inbuilt security, or in many cases, lack of security. Hyperscalers are increasingly alarmed by this and now set cybersecurity standards for third party devices that support their services.
Thirdly, it is the manufacturers themselves driving change, as consumers focus on their devices and their security. Manufacturers are putting security and privacy at the forefront, both in design but also in their marketing. For example, Apple’s advertising emphasises privacy and Samsung focuses its investment on-device security and other device manufacturers now follow suit.
Finally, our purchasing behaviour shift also drives change. Is an e-tailer responsible for the security of the product they sell? What happens if the product is leased or financed? Amazon has its own branded ebooks, the Kindle and Sky has announced its own TVs (Sky Glass). As more of these crossovers occur, the question of who is responsible for security widens. Manufacturers and retailers (whether online or physical) need to ensure products are secure and be able to answer the questions from a more informed consumer (just as PC vendors did over the last 5 years). This is especially complex with large ecosystems, and the delivery of a service or experience is enabled by multiple 3rd parties.
The rise of mobility
It isn’t just devices that we traditionally see as connected – smartphones, smart watches, TVs etc. that need to be considered. Micro mobility is growing fast. Bikes, scooters and new types of personal electric vehicles are making their way onto the market, but how many have considered the security of the data they collect and hold?
In London, bike sharing schemes have been available for many years and are increasingly popular. To use the schemes, you have to enter your credit card details when you rent a bike, and the bike tracks where it is (effectively tracking you). This information about your whereabouts could potentially lead to knowledge not only about your habits, your financial details, but also about where you live and work. This builds a data set that can start to predict your behaviour with a high degree of confidence.
It is the same with electric scooters, even if you own one. Scooters hold your home address, the place where it is most frequently located, along with other personal information.
The increasing digitisation of our vehicles, whether our own cars or scooters, or shared vehicles that we rent, may also lead to other security issues. Malicious actors exploiting vulnerabilities using cellular networks, physical connections or short-range connectivity such as Wi-Fi, Bluetooth etc will become a new threat in the mobility space. Such vulnerabilities can be used by hackers to help find new ways to steal our property. Additionally, the data that they contain such as trips, location data, entertainment preferences, financial information and even physical characteristics, such as fingerprints. Such personal data can be used to compromise multiple services or even to steal someone’s identity.
Trust-based mobile device security is required to make users feel safe. The Bosch e-bike for example, has intelligent theft protection, which secures the physical and digital aspects. Similarly, Specialized latest e-bikes also have security at the core.
While connectivity brings many positive changes, it is crucial that manufacturers also address the new cybersecurity challenges to attract consumers.
Secure by design
As our world becomes even more connected, device manufacturers need to take a “secure by design” approach, which ensures necessary IoT cybersecurity solutions and technology is built into all connected devices. Research indicates that security considerations already impact consumer purchasing habits. According to IDC, 58.6% of people in the US stated that they would consider paying a premium for a brand that demonstrated leading cybersecurity protection and monitoring within their vehicles. Cybersecurity credentials will become an important differentiator for brands and retailers.
Trust fosters adoption. It is a fundamental need as businesses and consumers increasingly rely on their connected devices. Any compromise in security can lead to breaches in user trust, potentially revealing private data and significantly impacting service providers and device makers’ brand and reputation. Trustonic offers IoT security solutions and certifications to secure and protect customers’ data. These solutions are hardware and software agnostic and work across any smart connected device; smart-home devices, wearables, mobility and vehicles and enterprise IoT.
Today’s connected devices are highly sophisticated computing systems. Software architectures are based on common components. Any vulnerability has a broad impact and with enterprise IoT, this could have an affect across the entire enterprise , regionally, nationally or even globally.
Systems need to be “secure by design”. Our Trusted Execution Environment (TEE) allows critical code and data to be separated from the less secure parts of the device. This enables higher levels of assurance and the ability to certify solutions where necessary.
Security and privacy need to be viewed together in the context of the entire ecosystem, only then can IoT device security concerns be overcome.
