From cities to the countryside, from power plants to homes, we are quantifying every facet of our environment. We deploy hardware on farms to monitor environmental conditions, install smart meters in our homes to track energy usage, and stalk components in a supply chain to increase efficiency. The number of potential applications is mind-boggling.

While the figure is much debated, there are expected to be 125 billion devices connected to the internet by 2030, a 360% increase from 2017. In China, the market for these devices is expected to reach $121 billion by 2022. Additionally, the number one shipper of IoT cellular modules in 2017, which allow machines to “talk” to each other over a mobile network, was Shenzhen-based.

The Chinese government has already set out plans to deploy more than 600 million narrowband IoT (NB-IoT) devices—which require very little power and have extended ranges—in the next three years. These will eventually replace the existing network of 2G devices. The Chinese IoT market is enormous.

But the use of these devices comes with a caveat. As we measure and monitor the world around us, we too get drawn into the web. In 2016, a group of Chinese researchers found vulnerabilities in the Taiwanese-made Edimax smart plug, a device routinely used for home automation. The team was able to gain access to user credentials by exploiting cryptographic flaws.

In 2017, Xiongmai Technology, an IoT camera manufacturer from Hangzhou admitted its cameras had been exploited by the Mirai malware to form part of a botnet and launch a distributed denial-of-service (DDoS) attack targeting websites including Twitter, PayPal, and Spotify. The assault was one of the worst in US history.

Also in 2017, cybersecurity firm Bitdefender found that over 175,000 cameras made by Shenzhen’s Neo Electronics could be remotely exploited. The company later recalled 10,000 cameras in the US. These are not isolated cases; numerous other Chinese IoT camera manufacturers have been called out for security flaws.

Global IoT applications in 2017 (Image Credit: IHS Markit)

A matter of money

The explanation for the vast number of issues has less to do with technological limitations and more to do with economics: it’s more expensive to make a secure device.

“Securing the device is possible, so there are multiple things that the device manufacturers should do, but it will cost two or three times more,” said Rodrigo Brito, member of Nokia’s cybersecurity leadership team, during a panel discussion at Mobile World Congress (MWC) in Shanghai.

“I wouldn’t see it as a technology gap, I would see it as a money gap,” he said.

The affinity for creating unsecure, low-cost IoT devices has led to a spike in the total number of vulnerabilities globally. According to a report by the Chinese Cybersecurity Emergency Response Team (CN-CERT), the number of IoT exploits found by the organization increased by 120% in 2017, with 27,000 devices being targeted by malicious actors every day.

CN-CERT said in its report that it expects the threats to connected devices to intensify in 2018 due manufacturers’ lack of security capabilities and the absence of industry supervision. The organization believes this will cause significant harm to privacy, capital assets, and personal safety.

The devices that are not on the markets [are] rushed to market with very poor security, privacy, and safety protection for consumers,” said Frédéric Donck, managing director of the Internet Society’s European Regional Bureau in a speech at MWC. “Security might be something that represents a cost. Well, industry doesn’t like that much. So, new devices, new vulnerabilities.” 

The need for security

With the expected proliferation of IoT networks in the next ten years comes major threats to the internet itself. These may not only arise from devices themselves but a lack of confidence created by their exploitation.

The bottom line is users might lose trust in the internet,” said Donck. “That would be very detrimental. We’ve seen that in the past with many other big incidents. If users don’t trust the internet anymore, you have a big issue. They won’t buy; they won’t use those promising applications and services.”

Donck’s statement is obviously hyperbolic. Will IoT vulnerabilities lead to a mistrust of the internet? It’s unlikely. But he does highlight a danger for IoT companies: lack of security protections for users could result in diminishing revenue, especially in a world where privacy has collided with the public sphere.

Despite leaders of tech companies explicitly stating that Chinese users of online services don’t care about their online privacy, the data says otherwise. In an online poll on Weibo, 86% of respondents said their privacy shouldn’t be violated, and over 50% said they see the data breaches as a significant problem in China. Additionally, 70% of users of digital media in the country have opted out of technologies, sites, or services because they believed they didn’t have enough control over their data. 

These concerns become ever more pressing when wearable technologies are exploited. Devices like these pose one of the most significant threats to privacy. And the livelihood of their users.

“Biometrics is a very interesting problem,” said Sri Chandrasekaran, member of the IEEE-Standards Association (IEEE-SA) during the panel. “The challenge with biometrics is once it’s hacked, then you lose your identity. You went from having a security problem into completely losing your identity in the digital space.”

What he says is true. When an email or social media account is compromised, you can change your password and other login credentials. The same isn’t true of biometric data. Once it has been exploited, there is no going back.

Users by country who have opted out of digital or technological services because of inadequate data controls (Image Credit: World Economic Forum)

Tackling vulnerabilities

Ensuring the security of IoT devices requires a multipronged approach. All elements in an IoT service need to be secured, from networks to devices to software to service platforms. Every layer of the application needs to be hardened.

“The device must be protected or designed with security in mind,” said Brito. The concept of security by design is an approach to hardware and software development that seeks to create a system that is free from vulnerabilities as it can be. “I consider the basics would be secure connectivity, authentication—so digital certificates—physical security, and device management so that when flaws are found then the problems can be solved,” he said.

This approach ensures that countermeasures are proactive rather than reactive, and generally benefits everyone, even those who are looking to save money. The cost of re-architecting an IoT network is far higher than creating a secure system from the outset, says Chandrasekaran.

The industry has so far witnessed a failure of the market with manufacturers seeking to reduce their expenses at the cost of user security and privacy. This is where standards come in: “We need to solve the security issue up front, not afterward. So [you should]  apply all these different standards and the government issues laws and regulations to promote cybersecurity,” Samuel Sinn, a partner at PwC’s Risk Assurance practice, said at MWC.

However, the problem won’t just be solved by regulators. Various stakeholders need to get together to discuss the system’s current issues. Chandrasekaran believes that policymakers may not be able to adequately understand complex technologies, and conversely, technologists may not understand the issues involved in setting standards and regulations.

Donck agrees: “We need many more people around the table to discuss security because as we see, there is an ecosystem that is impacting so many different actors that you need those actors to be around the table.”

With growing privacy and security concerns around the globe, diminishing confidence in unsecure systems, and more intense scrutiny from regulators, security should not come at a premium.

“It’s a non-functional feature. So I as a customer, I shouldn’t be paying for security,” said Chandrasekaran.