They’re coming, and we won’t be able to stop them. But will they be friends or foes? What are we talking about? Internet of Things (IoT) devices. And, as with most things, the answer will depend on the details. Gartner predicts there will be approximately 5 billion such devices in use this year, growing to 25 billion (more than half of them consumer-focused) by 2020.
“Smart” devices are all the buzz, whether in the connected home (thermostats, lightbulbs, garage door openers, locks and various appliances) or new wearable devices. They promise convenience along with improved control and efficiency in our lives. But, as highlighted by the recent hacking of automobiles, connectivity can come at a significant cost.
Consumers cringe as the barrage of data breaches continues — from major retailers to health insurers to government agencies, hundreds of millions of records are now exposed and there seems to be no end in sight.
Will we face a similar future with some of our most personal and sensitive information (where we are, the status of our home, our latest health vitals), or even with our physical security?
The consequences range from annoying (lights turning on and off, coffee makers starting up in the middle of the day) to creepy (messages on a smart refrigerator, locations being tracked, cameras being hijacked) to downright dangerous (thermostats/appliances being manipulated to the point of physical damage or fire, locks and garage door openers being compromised).
These issues are the focus of the Internet of Things Working Group (IoTWG), recently established by the Online Trust Alliance (OTA), a non-profit focused on the establishment and adoption of best practices that enhance online trust.
The IoTWG is made up of dozens of organizations, including leading retailer Target and technology leaders Symantec and Microsoft. Its mission is to establish a trustworthy framework for IoT manufacturers to follow that addresses three key pillars: security, privacy and sustainability.
IoT offerings present a unique challenge because of the balance between functionality and connectivity.
Many of these recommendations have their foundation in the OTA Online Trust Audit, a review of security, privacy and consumer protection practices enacted by 1,000 leading retailers, banks, social networks and government websites. In fact, in the 2015 OTA Audit, the websites of the top 50 IoT manufacturers were evaluated for the first time; the scores were not encouraging, with a failure rate of 76 percent.
This research highlights the need for increased vigilance and focus on security and privacy by design in this rapidly emerging market.
IoT offerings also present a unique challenge because of the balance between functionality and connectivity (e.g., does the connectedness of your coffeemaker have any impact on its use to make coffee?), the nature of their interconnectivity (e.g., how much should devices be evaluated as standalone versus in the context of overall use, as in a connected home?) and the long-term nature of their use (e.g., how to deal with the “smart” nature of home devices long after the warranty has expired).
In the security arena, many of the IoTWG’s recommendations complement widely accepted standards and practices in place today, including encrypting data in transit and at rest using current best practices, using randomly generated usernames/passwords, using Always-On SSL or other appropriate methods to protect session data and mechanisms that ensure updates and consumer notification are not sent from fraudulent sources.
What complicates the landscape is that the majority of devices are dependent on apps, mobile platforms and back-end cloud services that often integrate with “home automation hubs”