Can IoT devices ever be made truly secure when human beings are often the weakest link in the chain? Retail expert Adam Bernstein investigates
The internet has inveigled its way into our lives like no other technology. Enabling, disruptive, revolutionary, it has transformed society. With its ability to connect, it has opened up a Pandora’s box of risk that some are only just waking up to.
A BBC Panorama programme broadcast in May, Hacked: Smart Home Secrets, shocked a couple living in their highly automated home. They were surprised that third parties could remotely control their curtains, hijack their TV and turn on a kettle.
Big data – big risk
Will Bryson, an associate in the tech and comms group at law firm Bird and Bird, says that data protection should be a concern for the IoT supply chain: “Consumers take these devices into their homes and often a large degree of their functionality depends on the use of personal data. With the General Data Protection Regulation [GDPR] that came into effect in May, regulatory compliance must now be at the forefront of suppliers’ minds.”
But the issue goes further, as IoT devices can attack other devices. Mr Bryson points to “recent large-scale distributed denial of service attacks that used security flaws in IoT devices in order to commandeer them into massive bot-nets, which caused wide-scale disruption to internet usage”.
The problem at source is that many IoT devices have very weak basic security – default passwords that are available online being a typical example.
Geoff Meads, lead instructor at Cedia, an international trade organisation for the home-technology industry, thinks the odds of an attack are remote: “Audio and video devices aside, most IoT communications transmit and receive tiny amounts of data compared with the general volume being transferred on the internet.” He believes the chances of data being captured and used destructively are pretty low.
Sian Lewis, Amdea’s association executive, agrees to an extent. She sees connected appliances as essentially “isolated” products, “rather than an element in a network of connected appliances”.
But as Mr Meads alludes to, a bigger concern may be smart devices, such as a TV or speaker, that listen for key words.
Mr Bryson adds: “It would be hoped that the reputational damage a supplier would suffer if it were ever discovered that the device was spying on consumers would provide sufficient motivation [to get products right].”
The industry must do everything it can to secure data. However, any system is only as secure as its weakest link, and that is often the user
Mr Bryson worries that data gathered by devices, which may be sold on, may lead to targeted product advertising. “The problem is that users are generally unlikely to be aware of how their data is used – the terms and conditions they are presented with are largely clicked through, unread.”
Cedia’s Mr Meads sees three types of information that need protecting – payment data, user credentials, and general usage data. From his perspective, payment data is the most valuable and should be treated very carefully when moved online.
But user credentials are just as important – huge firms, like PayPal and Dropbox, have been successfully attacked in the past and user data stolen, leading to potential theft of monies and confidential information.
People are the problem says Mr Meads: “Many still use the same e-mail and password for multiple websites and other services.”
But data leaks cannot be ignored, either. As Mr Meads points out, home occupancy patterns can be established by simply tracking when heating is on or off – criminals will then know when to break in.
The risk to the sector has grown as, under the GDPR, suppliers could face significant fines for breaches of data protection requirements.
And the supply chain, reckons Mr Bryson, should be worried. “If a third party hacked into an IoT device and took control of, or otherwise abused, it, the supply chain could, in principle, be responsible.” He singles out manufacturers, creators and suppliers of application/security software, and network providers.
While retailers could be on the hook, Mr Bryson thinks that, given they are unlikely to have ultimately caused the defect, they will likely recover any liability that arises from the manufacturer or supplier.
Cedia’s Mr Meads believes liability should depend on how a device has been manufactured and installed. He says: “If a device has been designed, manufactured and installed to all known best practices, I don’t see how there can be liability if a criminal deploys a new and, as yet unknown, way of abusing it.”
Of course, the trade needs to play its part in educating consumers. As Cedia’s Mr Meads comments: “As an industry, we must do everything we can to secure data. However, any system is only as secure as its weakest link, and that is often the user.”
As for installers, he advises a simple security agreement between themselves and user. “It must be clear in terminology and short in length and should clearly state what the installing company is liable for.”
So, can IoT devices ever truly be made secure? It seems unlikely, as humans are involved and they are often the weakest link in the cyber-security chain. This in part puts the onus on those in the supply chain to take some responsibility for device security.