There is an "enormous tug of war between convenience and privacy" in IoT, and device manufacturers aren't doing enough to pull on the privacy end of the rope, said Scott Montgomery from Intel Security.
This was the focus of Montgomery's talk, titled "Preparing for the Security Tsunami of the Internet of Things," at the 2016 Structure Security conference in San Francisco, CA. While IoT-connected devices often promise new levels of convenience or productivity, they are creating new security threats and privacy concerns.
Montgomery cited the example of Mattel's Hello Barbie, a Wi-Fi-connected Barbie doll that was shown be vulnerable to hacks. This was especially frightening, he said, for the obvious implications to child safety.
SEE: Big data and IoT matter to 56% of organizations (Tech Pro Research)
However, connected devices aren't going anywhere any time soon. Montgomery said there are two reasons why manufacturers will continue to embed internet in their devices. The first reason is that it allows the manufacturer to touch the device and perform updates or changes without sending a technician, which reduces overhead. Also, it gives them access to targeted data, which can help them position more goods and services to customers.
A big problem is that users, for the most part, aren't thinking as strongly about security as they should be. Security and privacy are already tricky, Montgomery said, but consumers are too ready to "roll the dice with their privacy" when they purchase new gadgets. When consumers see the potential convenience of IoT, they often don't consider the new threats that these devices introduce.
So, doesn't that mean that companies should do more on their end to secure the devices? The answer is complicated.
Montgomery said that chip and device manufacturers need to collaborate on standards that they can implement, and agree on, to improve the security of these devices. And, while there have been some talks from the Industrial Internet Consortium about secure chip standards, they aren't available yet.
Additionally, chip manufacturers need to be doing more attestation to make sure the chip is what it says it is, and is doing what it is supposed to be doing, Montgomery said. They also need more visibility so they can guarantee when updates happen, and confirm that they did occur.
Attestation could also help with the update cycle. The manufacturers often already have a system for updates to keep up with consumer demand for new features. And, with better attestation, it could help devices verify those updates as coming from a known source, he said.
The 3 big takeaways for TechRepublic readers
- IoT devices create new levels of convenience, but they also bring new privacy and security concerns, said Scott Montgomery from Intel Security.
- Montgomery said that manufacturers need better standards to guarantee security of the connected devices.
- Chip manufacturers need better attestation to help with protecting devices and to help guarantee updates.
- IoT hidden security risks: How businesses and telecommuters can protect themselves (TechRepublic)
- 17 ways the Internet of Things can go horribly wrong (ZDNet)
- Approach IoT security as a system design problem (TechRepublic)
- The first big Internet of Things security breach is just around the corner (ZDNet)
- Security experts: what's wrong with Internet of Things security, and how to fix it (TechRepublic)