This article is the second in a two-part series. For part one, please go here.
Last week I set out the problem of securing the Internet of Things (IoT). I painted a pretty bleak picture, but all is not lost.
Traditionally, the go-to answer to digital security has been "consumer awareness." For PCs, it’s not entirely unreasonable: Most people know they need anti-virus protection and many are coming around to doing regular backups. The trend is driven by ubiquitous horror stories: We’ve all either been victims or know some who has. The safest computer users are the ones who take pains to protect themselves. ("Fool me once, shame on you…")
I wrote in this space a few weeks ago about the number of times I’ve heard learned experts at technology conferences pronounce solemnly that, "The key to security in the IoT is consumer education." I followed up a sentence later with the opinion that consumer education is about the dumbest strategy imaginable for securing the IoT. It’s a losing proposition that’s guaranteed to fail. There haven’t been enough horror stories to scare people yet and, as my friend Curt Schacker from IoT company EVRYTHNG observed, Millennials in particular show a marked propensity not to care much about privacy if there’s a benefit to compromising it and you don’t bother them too much.
So it’s pretty much up to the technology community to protect its customers from themselves, which they’re motivated to do because they know the "Big One" is coming soon and they don’t want it to be associated with one of their products. If someone gets burglarized because the bad guys shut off the alarm system through a connected thermostat, everyone who makes connected thermostats is going to suffer.
The "Big One," by the way, isn’t going to be something like the Target data breach and other such incidents, which barely made a ripple in the public consciousness despite industry attempts to hype it into catastrophic proportions. Because of strong consumer protection laws, holders of Target charge cards, like bank credit cards customers, essentially have zero liability. The Big One is going to be something far more personal, or even lethal.
The IoT Security Opportunity
There’s a huge opportunity for some company to crown itself the brand leader in IoT security. The key will be a simple, visible, one-step way to protect devices and ecosystems. The eventual acceptance of labels boasting "Protected by X" as all the security you’ll ever need will be worth a fortune, and that’s what should be driving entrepreneurial tech companies to become the brand leader and savior.
It could be Microsoft, which has committed to adding BitLocker encryption to its Windows IoT. Another possibility is Gemalto, a pioneer in securing mobile payments. Their Secure Element (SE) technology is embeddable into devices and provides both encryption and access limitation. It’s being considered for use in the automotive and utility industries and is easily adaptable to other categories of the IoT.
If I had to bet on an approach for smart homes, it would be on either Dojo, the first offering from Israeli start-up Dojo-Labs, or Sense from Finnish company F-Secure. Both are cloud subscription services that work through a device plugged into the homeowner’s WiFi router to create profiles of how all of the devices in a connected home behave and then react to anomalies.
An interesting development is the Internet of Things Security Foundation (IoTSF). It was created by a consortium of major tech firms who realized that they had everything to gain and nothing to lose by collaborating with their competitors on the matter of security (something Las Vegas casinos figured out a long time ago). There are also ideas afloat for using independent platforms that allow large networks of devices to federate authentication in a kind of "mesh verification."
These are all good concepts, albeit a long way from being proven. They’re also device-centric, which creates two special challenges.
The first is that that most IoT devices are "always on" and are only authenticated once, which makes them attractive targets as gateways into their associated ecosystems.
Which brings us to the second challenge, the question of where hackers are really like to attack, and it isn’t only at the device level. As any proselytizer of Big Data can tell you, the good stuff is in the cloud. In fact, from a technical perspective, it’s all in the cloud, and there’s very little consumers can do to protect themselves other than deal with reputable companies who take privacy seriously.
Another reason to deal with reputable companies, no matter how attractive the offerings of the lesser-knowns: Suppliers of your home automation devices are monitoring them and periodically downloading firmware upgrades. This isn’t something you want done by a fly-by-night firm who’s probably outsourcing development to the lowest-cost vendor somewhere in Outer Spitoonia.
We’re nowhere near where we need to be when it comes to securing the IoT, and you can’t wait for tech companies to do it for you. Walk through any neighborhood with your smart phone displaying the WiFi settings page and you won’t get half a block before coming across unsecured connections. Do you change all your passwords every 90 days? Me neither (although I do back up fanatically, which protects me against certain kinds of hackers but not all). Do you even know how your smart home devices are currently secured, or if they’re secured at all? Are you sure that the only one seeing what’s on your security camera is you?
Until "they" figure it out, "we" have to take special pains to protect ourselves.
Now, this is the place where you’d expect me to tell you how to do that, but I’m not going to. I already know you won’t do it. If you were the type who would, then you already have and you don’t need me.
So, instead, I’ll just wish you good luck.
Lee Gruenfeld is a Principal with the TechPar Group in New York, a boutique consulting firm consisting exclusively of former C-level executives and "Big Four" partners. He was Vice President of Strategic Initiatives for Support.com, Senior Vice President and General Manager of a SaaS division he created for a technology company in Las Vegas, national head of professional services for computing pioneer Tymshare, and a Partner in the management consulting practice of Deloitte in New York and Los Angeles. Lee is also the award-winning author of fourteen critically-acclaimed, best-selling works of fiction and non-fiction. For more of his reports — Click Here Now.
© 2023 Newsmax. All rights reserved.