Will Users Drive the Need for a More Secure IoT?

Posted on by Carlos Salas

An interesting milestone was reached in China at the end of the summer of 2022. For the first time, the number of connected devices to the Internet of Things (IoT) surpassed the number of mobile phone users. In other words, connected things exceeded connected people. This trend is observed all over the world.

On the surface, it looks promising. IoT gives us entire networks of smart devices, which can provide services enabling impactful monitoring processes or useful actions. It paves the way for businesses to develop new products and plans, offers users new benefits and better value, and provides better services from governments to the public. Sounds like a win-win-win situation. But the increasing potential is closely followed by risk. 

The safety challenges of merging the physical and digital worlds 

As with all emerging technologies, additions to digital lives become a new attack surface for cybercriminals. Since the majority of IoT devices are meant to become an integral part of users’ private lives, the stakes are higher. 

Some of the threats for IoT are “inherited” and well known in the cybersecurity world, like supply-line challenges. IoT devices travel through a chain of manufacturers, suppliers, distributors, and vendors before they find their way into users’ homes. Furthermore, IoT devices are often made as cheaply as possible with multiple third-party components; and they may not have essential security protocols in place or extended QA processes to identify possible vulnerabilities. 

Other threats are new for the conventional cybersecurity field and come from the sheer scope of potential attack scenarios. A user connecting smart door locks is not necessarily a severe security hazard. But connecting smart locks, external data drives, virtual assistants, simple light switch adaptors, and other IoT devices in one home network could create cybersecurity threats. 

An emerging area for cybercrime is also operational technology networks connected with industrial control systems that manage critical infrastructure. IoT developments offer improvements to this area as well, through remote sensors and monitoring, but the vulnerabilities here can affect millions of people if exploited by hackers, so attacks could be far more devastating than hacks to a single user’s home appliances. 

More regulation: pros and cons 

One way to tackle IoT security challenges is through improved governance. And it has merit—the evolution of IoT devices was uncoordinated, with rapid innovation taking place. But decentralization also increased, and IoT grew without proper governance. 

Since the full potential of IoT can only be realized through vastly interconnected devices and networks, it is necessary to find a way for them to interact with each other effectively. That means at some point, at least some form of governance, for example—implementation of technical standards—will need to take place. But it may also lead to over-standardization, which creates other problems and poses a risk to IoT’s long-term growth. 

If we assume that IoT’s value comes from diversity, that also means that diversity is one of the biggest challenges in this field. In a perfect world, we could have one single set of IoT standards that offers significant safety precautions that, at the same time, works equally well in all IoTs, from smart locks to smart refrigerators. Yet we live in a practical world where each device or network has its own design and architecture considerations with a high probability of conflicting standards. 

Can informed and motivated users be salvation for IoT? 

While intervention from governments in the form of setting clear standards could be beneficial, its implementation poses serious challenges. Can we then expect end users to become the flag bearers in the quest for a more secure IoT? 

The answer is puzzling. Research conducted by NordVPN showed that a whopping 55.9% of IoT users believe they are responsible for protecting their smart devices. Let’s not celebrate yet. Unfortunately, almost 25% of IoT owners do nothing to secure their gadgets. In the UK, the disparity is even more stark: 95% of people own at least one IoT device, but only one in five takes steps to secure them. 

It’s clear that making only one party responsible—be it users, businesses, or governments—would yield no improvements in creating a more secure IoT future. Just like IoT’s greatest potential is creating sustainable and shared value, so too the responsibility for safe use should be shared. For example, users and NGOs calling for more transparency in the field, businesses conducting independent security audits, and governments educating users and forming sets of practical standards. While such cooperation for increased security in IoT currently falls behind the rapid growth of new devices, safe use is still possible.

Carlos Salas

Software Architect and AWS Cloud Specialist,

Mobile & IoT Security

critical infrastructure endpoint security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs