Just recently, GPS and fitness tracker company Garmin experienced a ransomware attack that rendered service for its products unusable.
It's unconfirmed whether anything nefarious has happened with its customers' data but the inconvenience of the outage was described by some as "the corporate equivalent of a heart attack."
While the benefits of IoT innovations are without question, they may come with a cost we aren’t prepared to pay—threats to our privacy and security.
We’re living in an Internet of Things (IoT) world where it’s no longer just a fantasy to ask your fridge to order your next load of groceries, request your speakers play your favorite playlist, or even adjust the temperature of your living room without ever stepping foot off the couch.
As our dependence on this technology inevitably grows, the security threats posed by this reliance also increase.
Solving these security concerns regarding IoT devices isn’t going to be a quick or low-cost fix. It’s estimated that spending on IoT security solutions will increase by 300% to $6 billion worldwide by 2023.
And industry efforts as a whole have been pretty piecemeal to date.
Businesses need to take more steps to safeguard their internal and customer data, as well as protect the functionality and reputation of their products and businesses. It will be a crucial move forward.
Innovation outpacing security preparation
There are already about seven billion connected devices in use—not including phones and tablets—and that number is projected to balloon to 21 billion devices by 2025. As the market grows and consumers become increasingly interested in connecting their lives, device makers are rushing to remain competitive and capture their piece of the pie.
While this is obviously a logical business strategy, the problem is many of these manufacturers are—to a concerning extent—failing to consider security issues related to IoT data access and management, as well as to the IoT appliances and devices themselves.
So as consumers continue to invite connected gadgets into their homes and their lives, they may also be unknowingly inviting in potential breaches to their privacy and security.
Ongoing pattern of IoT security threats
While all of this connected technology feels pretty new to most people, the reality is it’s been around for a while; and so have the problems with hacking, unfortunately.
The first reported case of connected gadget hacking took place between December 2013 and January 2014. The hack involved using everyday items such as routers, televisions, and at least one refrigerator to send a barrage of more than 750,000 malicious emails. These emails were sent several times daily in batches of 100,000 at a time and targeted businesses and individuals around the world.
How did the hackers gain access?
In most cases, the appliances weren’t set up correctly by homeowners. In other cases, homeowners were still using the default password that came with their device; a mistake many of us are guilty of.
But these issues aren’t just a result of a lack of consumer due diligence.
One of the most high-profile distributed denial of service (DDoS) attacks—which is when multiple computer systems are compromised and attack a target, such as a website, server, or network resource—took place near the end of 2016 using an IoT botnet called Mirai.
The attack affected thousands of connected home devices such as cameras and DVR players, and it resulted in the breakdown of huge portions of the internet, including giants like Twitter, Netflix, CNN, and the Guardian.
While that very first hack took place more than five years ago, researchers say IoT device security is only getting worse—despite claims from manufacturers that they’ve increased their security levels.
In 2013, security-testing firm Independent Security Evaluators (ISE) evaluated a number of small-office home office (SOHO) routers and networked-storage devices and found 52 vulnerabilities. When that same evaluation was performed again this year, the firm was eager to display the progress that had been made in terms of security measures. In actuality, it identified 125 new vulnerabilities.
And a 2018 paper revealed that many off-the-shelf smart devices, including home security cameras, doorbells, thermostats, and even baby monitors can be hacked in as little as 30 minutes using a simple Google search. Hackers compromise these devices by tracking down factory-set passwords.
And a 2019 F-Secure report showed cyberattacks on IoT devices are up 300%.
Another recent report by security firm SonicWall identified a 55% increase in IoT malware attacks in the first part of 2020, as compared to 2019.
The increase in IoT security breaches may be driven by the increase in IoT traffic to a large extent, but it seems unanimous that action needs to be taken to correct this issue as the market scales.
Recurring Billing for Telematics & IoT
Maximize business opportunities around your telematics and IoT devices. Fusebill powers recurring billing & agile monetization through real-time billing communication between your device and the billing engine.
Where are businesses dropping the ball?
The IoT is a mega trend that can’t be ignored. But in order to enter this space with success, businesses need to create effective strategies to ensure the security of their IoT data, their devices, and their customers.
The following are several reasons why there are so many security concerns in this space.
1. Pressure to enter the market quickly
Manufacturers may have a thorough understanding of their products—whether they’re dealing in refrigerators, speakers, wearables, or any other device—but they don’t necessarily have experience in connecting them.
As a result—and in order to get to market and remain competitive—manufacturers are hastily building system on a chip (SoC) technology into their products without proper consideration and understanding of the operating system (OS) and its service.
SoCs have all the components needed to render a product “connected”, but manufacturers are failing to create long-term plans to securely manage their SoC hardware and software.
2. IoT data security capabilities aren’t at the forefront of the manufacturing process
This is largely due to limited IoT hardware resources.
IoT devices require processing, system memory, and storage space, all of which restricts space for modern security mechanisms like encryption. And altering the OS to add security and prevention features takes a lot of time, effort, and testing—which obviously creates a barrier to quick market-entry.
3. Businesses are using legacy software with poor security capabilities
This is an important core reasons why there are security concerns in the IoT space.
At a basic finance and accounting level—which is arguably the lifeblood of any business—many businesses and manufacturers are using manual and legacy billing and customer management processes and software.
These systems lack proper industry-leading security features and infrastructure. And as a result, they open businesses to security risk on many levels, from finance and data breaches to issues related to compliance and regulation.
How can IoT-based businesses begin to solve the problem?
Addressing security issues related to core financial processes is an important first step businesses and manufacturers involved in—or interested in being involved in—the IoT market need to consider. And it’s a step that can have positive repercussions across an entire business, not just from a financial perspective.
A billing process that involves a lot of manual effort is not only a time-consuming endeavor for a business, but it also creates a lot of room for human error. And these errors can result in revenue leakage, invoicing inconsistencies leading to reduced customer satisfaction, inconsistent customer management, IoT data security and compliance breaches, and more.
Legacy billing and customer management systems also present challenges in terms of keeping up to date with industry standards for security—not to mention compliance, effective reporting, and flexible, efficient processes.
Digitally transforming your business with an adaptive automated billing solution can ensure it’s always on the cutting edge of what’s possible, as providers of these systems focus solely on advancing their technology to meet their customers’ needs as well as market demands. This means your business can automatically ensure the safety and security of its data as well as its customers’ behind world-class security standards.
The right cloud-based billing system will provide a range of security elements that may include state-of-the-art firewalls, network intrusion, and content delivery technology, in addition to:
- application audit logging
- domain authorization
- IP address restriction, and
- PCI Level 1 certification.
PCI Level 1 certification also means your service provider will be audited every year by third parties in order to maintain its certifications and compliance.
Moving to an automated billing system is an important step toward establishing a secure IoT-based business.
Securing the IoT industry
While governments are often slow to adapt regulation to current innovation, changes are happening in this regard. For example, the EU recently reformed its privacy legislation with a focus on protecting the personal information of its citizens. Among many other elements of this legislation—which is referred to as the GDPR—individuals in the EU now have the right to have their personal data erased by companies in certain situations, to be informed when their data has been breached, and to be protected under this legislation, regardless of where in the world their data is processed.
Certain U.S. states are also taking action to safeguard individual privacy. California is the clear front-runner with its California Consumer Privacy Act (CCPA). This act—which aligns closely with GDPR principles—also enforces data breach notifications, requires businesses to disclose to customers if they’ve collected their personal information, and much more.
Canada is another country placing new guidelines on businesses to disclose data breaches, but also to retain information pertaining to those breaches.
While its one thing to be aware and inform customers of security breaches, its an entirely other thing to find ways to prevent them all together.
As the IoT market becomes more ubiquitous, customers will hand over their loyalty and their money to businesses they trust. Businesses that have put in the work ahead of time to create sustainable security measures will be poised to lead in this space. And as government moves to keep pace with the rapidly evolving IoT environment, soon enough there won’t be any choice but to comply with stricter regulations.