One good example of this is the Belkin WeMo platform. Young says you can install a device like this outlet that you can control with your smartphone in five minutes. Yet, there might not be any intrusion detection for a product like that. In a worst case scenario, he says, a Chinese hacker could find a vulnerability for these outlets and then power cycle them repeatedly for thousands of users all over the U.S. to cause massive blackouts. Yet, for the end-user, there is some incredible usefulness, energy savings, low costs, and a simple install.
Foeckl says it’s this emerging utility and usefulness that makes IoT more vulnerable. A new connected device solves a problem, but we don’t always know that much about the firmware or the software used to solve a new problem. IoT devices are ultra-simple but they often share their Wi-Fi credentials. Indeed, Young says one of the biggest risks is that hackers can intercept the password for a Wi-Fi network, which is what happened two years ago when researchers found the LIFX connected light-bulb exposed network configurations.
When asked for a statement, a LIFX spokesperson said the company takes security seriously, and has "worked hard to provide an experience that puts the safety and security of consumers, their homes, and Wi-Fi networks first. We will continue to build products that aid in the security and protection of consumer homes."
Craig Spiezle, who is the executive director and president of the non-profit online security and privacy watchdog group the Online Trust Alliance (OTA), says there are several problems with IoT that have made it such a large attack surface.
For starters, consumers and businesses are starting to depend on these gadgets; the adoption is fast and furious, which means security is a secondary concern. There isn’t the same robust security testing and patch management given to other, more mature products like servers and smartphones.
Another issue he mentioned is that there might be an effort with IoT devices initially, when the product is new, but there are too many “orphaned” devices still connected to networks that are left unpatched and ignored. A prime example of this is the Nest Revolv smart hub. Researchers found serious security flaws, in April Nest announced the company would discontinue the product and would not update any of the firmware.
Young says an even more critical problem is that many of the smaller IoT companies have a small staff -- they do not even have security professionals working for them, and they tend to use third-party electronics that may or may not have been certified or even tested for security. The market is so new, the main goal for now is to get these gadgets to market quickly.
Sign up for CIO Asia eNewsletters.