As the drive to bring any and all imaginable physical objects online continues full steam ahead, internet-enabled devices are increasingly part of our day-to-day routines. In our quest for more productive and enjoyable – or simply easier – lives, we cannot avoid jumping on the Internet-of-Things (IoT) bandwagon. Up to 30 billion devices are predicted to be online by 2020, according to the Mozilla Foundation.

To be sure, IoT is not just about our personal efficiency or enjoyment, and the class of products such as smart watches or smart light bulbs. Spurred by innovations in hardware, networking, cloud data management, big data, and machine learning, IoT is also taking many industries by storm. This includes those classed as belonging to critical infrastructure, as various sectors invest in the Industrial Internet-of-Things (IIoT), with the intent of enhancing the efficiency of infrastructure, energy management, health care, utilities, and other public services.

Any internet-connected device or system, from the most frivolous to the supremely practical, has implications for security and privacy. However, the security and privacy sides of things have commonly been an afterthought, especially in the design of consumer-oriented IoT devices. The security and privacy of what are often resource-constrained gizmos seems to have been traded off for their functionality, internet connectivity, low power demands and, no less importantly, market-driven incentives.

This might be less of an issue if the usefulness of the devices did not rest on our willingness to share our data with the gadgets – and with their manufacturers and possibly other entities. In many cases, this sharing encompasses highly private data that are collected and shared invisibly with tech that is often designed to be unobtrusive. All that convenience, together with the insight into – and benefit for – our well-being, are nevertheless other parts of the trade-off.

Our love affair with – or dependence on – internet-connected tech has outpaced our ability to keep our devices and data safe and secure. In the absence of proper security precautions, the rapidly expanding nexus of devices, objects, applications and services that constantly chatter to each other is also greatly expanding our attack surface, the sum of all exposure points that ill-intentioned actors can exploit for cyberattacks. In the case of IoT, it is often true that little technical skill is required to assault the smart things or to use them to assault other devices. Add to that the medley of what are often deeply personal data collected by the devices’ sensors, and we’re in for a volatile brew promising previously un(fore)seen privacy headaches.

Worries abound also as IoT often means a convergence of the digital world and the physical world. Leaving aside some mundane examples such as smart toothbrushes, the vulnerability of many types of IoT devices can ultimately lead to some dire real-world consequences. Insulin dispensers and pacemakers are just some IoT-enabled devices that have been shown to contain security flaws that could be exploited, with lethal results, by hackers. Vulnerable IoT devices also provide opportunities for cybercrooks to gain access to other devices on our networks, exposing information attached to these networks.

As the European Cyber Security Month (ECSM) awareness campaign winds to a close, let us consider some of the key factors that make it difficult to keep security threats to IoT in check.

Software woes

Many gizmos are riddled with security flaws “out of the box”. Their firmware, i.e. in-built software on a chip, can contain old and already well-known vulnerabilities at the time of – or soon after – hitting the market. In addition, not even the most exhaustive code review is likely to remove all the kinds of bug that can lead to security loopholes – assuming, of course, that any code review is undertaken.

Moreover, security updates rolled out over-the-air, let alone automatically, are hardly a matter of course with IoT devices. This often leaves the loopholes wide open throughout the product’s time in use. Even when such updates are released, they’re often out of reach for ordinary users, who may find them too difficult to install and/or not worth the trouble, or, perhaps most commonly, they never even learn about the existence of these patches in the first place.

Worse still, in some devices the software cannot be updated at all. In such cases, too, their owners don’t usually keep current on the known vulnerabilities and cannot address them using other mitigation practices.

Come on in!

Poor or even non-existent authentication that allows unauthorized access to the deployed IoT systems and users’ data is another perennial problem plaguing the IoT universe. Too commonly, the gadgets are insecure by default, using publicly-available, easily-guessable, and even hardcoded credentials that are often only a Google search away. Perhaps just as commonly, users stick to the default settings and never change their usernames and passwords.

One striking example was seen in 2016, when the Mirai botnet malware brute-forced access to tens of thousands of IoT devices that were running on default credentials. The botnet was then unleashed to conduct a series of distributed denial-of-service (DDoS) attacks that knocked out thousands of websites for many internet users especially on the US East Coast.

Private information may also be compromised due to a lack of authentication when establishing communications, as well as non-existent data encryption between the device and its hub or cloud-hosted services that receive the data. Unfortunately, many of the devices have limited computing resources and cannot even utilize strong encryption protocols.

“The boring bit”

A team of Oxford University academics recently published a paper intriguingly entitled ‘“Privacy is the Boring Bit”: User Perceptions and Behaviour in the Internet-of-Things’. They found that while many people viewed IoT-enabled gadgets as inferior in terms of familiarity, usability and respect for user privacy when compared to less novel devices such as laptops and smart phones, they still went on to purchase the “things”. Dubbed the “Privacy Paradox”, this disparity between opinions and actions has been attributed mostly to reduced security awareness.

In fact, consumers may sometimes be unaware that a device is connected to the internet and sharing their data. Indeed, IoT ushers in a fundamental shift in the interplay between users and their private data. This change translates into unprecedented privacy challenges that are unlike the data privacy issues with which we’re already familiar.

At any rate, the potential of IoT cannot be realized if users’ privacy choices aren’t given due consideration. However, we cannot guard ourselves unless we’re aware of the inherent risks in the first place.

Suggestions for further reading:

Interred in the Internet of Everything

How to start analyzing the security of your IoT devices

Privacy by Design: Can you create a safe smart home?

IoT attacks: 10 things you need to know

The Hive Mind: When IoT devices go rogue