Even with all those warnings, compromising them remains alarmingly easy. Most do not have even basic security built in. And when vulnerabilities are discovered, it is not always easy or even possible to update or patch them.
So, not surprisingly, while it has not made major headlines, the growth of consumer-level breaches and ransomware is showing up in statistics. The FBI issued a statement last June that it had logged 992 complaints related to just one variant of ransomware, CryptoWall, between April 2014 and June 2015, with combined losses of $18 million.
That is expected to get worse. “We will see increase in IoT-based breaches,” said Sundaram Lanskmanan, vice president of technology at CipherCloud. “Every device that’s getting rolled out these days seems to have Internet connectivity. The hack can happen at any time from manufacturing to firmware updates past the production phase.”
More than just the loss of money or data is at stake as well. “There is a big difference between losing computer data and the safety risks involving a house or car,” said Will Dormann, senior vulnerability analyst in the CERT division of the Carnegie Mellon Software Engineering Institute.
“When you have more real-world devices connected, there can be risks involving human life, which are obviously much more serious," he said.
Dan Geer, CISO at In-Q-Tel and an adviser to U.S. intelligence agencies, raised another ominous possibility. He said money is likely to be the prime incentive in the early stages of IoT attacks, “but for the long haul, disinformation in sensor nets may well be of interest, as will the marshaling of things into, shall we say, zombie armies.
“As M. Hathaway said in the 60-day 'Cyberspace Policy Review' at the outset of Obama's first term, the primary targets at the national level are the defense industrial base and the tech firms with global dominance; the secondary targets are the counterparties of the above; and the tertiary are any devices that can be a platform for attacks on the secondary,” he said.
It also creates potential legal nightmares. Lanskmanan noted that while cars are required by federal regulation to have things like operating taillights, “if an IoT hacker disabled that taillight on a freeway, who will be held responsible?”
Of course it is possible for the market to punish vendors for security failures by refusing to buy products that become known for being easily hackable.
But Dormann said the practical reality is that most consumers don’t think much about security when they buy “smart” devices – they focus on features and price. “Security is usually not part of the purchasing decision,” he said.
Or, as encryption guru, author and CTO of Resilient Systems, Bruce Schneier, has put it more than once, “People don’t care because they don’t know enough to care.”
Sign up for CIO Asia eNewsletters.