Not too long ago, the idea of communicating with your kitchen appliances or hopping in a self-driving car may have seemed like science fiction.
But the promise and potential that comes with connecting more gadgets online means that just about anything with an on/off switch can be connected to the internet and a remote controlling device over the same network.
By 2020, more than 50 billion devices are expected to be connected to the internet, meaning our world will become increasingly ‘smart’ as the Internet of Things (IoT) permeates into more parts of more people's lives.
We can already adjust the temperature and lighting in our homes from anywhere in the world; remote diagnostics can be performed on aircraft engines in real time; our cars can warn us of traffic problems and provide alternate routes.
And while all these connected devices may simplify our lives and streamline companies’ production and distribution, it also gives rise to a myriad of new security threats that have the potential to disrupt people’s online lives in new and frightening ways.
“There are no devices that can’t be hacked, it’s just matter of time and dedication,” warns Blagoj Kupev, an embedded systems designer with Scandinavian IT services and software development consultancy Seavus.
And as more systems and devices get connected, more sensitive corporate and personal information gets stored online, meaning an increased potential for hackers to cause serious harm.
Earlier this month, for example, it emerged that a data breach at US credit rating company Equifax may have left the sensitive financial data of up to 143 million Americans exposed.
And in Sweden, revelations that the country’s Transport Administration (Transportstyrelsen) ignored rules about data security resulted in the departure of the agency’s head and two ministers.
High-profile data breaches often involve capable hackers who are able to penetrate complicated security measures at major companies or public bodies.
But as the number of devices connected to the internet continues to multiply, so do the number of pathways open to nefarious individuals or groups looking to cause harm.
“If you make a cheap, unsecure device that requires users to set up their own security measures, you may sell more devices to more people. But the problem is these people may lack the knowledge to set things up correctly,” Kupev explains.
Even purchasing a high-end smart appliance with lots of security features doesn’t mean things can’t go wrong if users do not know how to use it properly.
“If your router is easily hackable, someone could then easily get access and hack into your smart oven, turn it on, and potentially start a fire in your house,” he continues.
The weakest link
Last year more than 900,000 routers in Germany were knocked offline by cyber-attack experts believe was at attempt to infect the routers with malware. While the attack didn’t result in any smart ovens getting hacked, the incident demonstrated an important principle that Kupev says everyone must remember in today’s connected world:
“The Internet of Things is only as strong as its weakest link – and it’s those weak links that are often subject to attacks”
Part of the problem, says Kupev, is that current cybersecurity approaches and strategies were designed for a time when anyone involved in computing device security likely had a certain level of technical knowledge.
“Now we have to make things usable for ordinary people,” he says. “The Internet of Things requires making it possible for consumers, rather than IT professionals, to be the first line of cybersecurity defence.”
At Seavus, Kupev and his colleagues specialize in designing systems and interfaces that are both secure and easy to use.
“We focus on embedded devices – anything that you can imagine being a part of the Internet of Things – to ensure secure communication between the devices and the network – and that devices always have predictable behavior,” he explains.
Despite having capable teams of programmers and rigorous testing procedures, many companies – be they retailers, manufacturers, or service providers – still have a hard time seeing the potential vulnerabilities in their own systems.
“There are a lot of companies who think ‘this will never happen’ and then they come back to us six months later saying ‘it happened’,” says Kupev.
The challenge, he explains, is being able to look at things from a different point of view.
“Often a client’s view of things can be quite narrow because they’re used to looking at things from the same perspective,” he adds. “Our job is to help them look at matters from a different angle and uncover vulnerabilities they would have otherwise missed.”
To illustrate his point, Kupev tells the story of an engine maker that invested heavily in ensuring a device’s “regular” communications systems are secure.
“They did magnificent work in securing Ethernet and other standard interfaces, but no one thought about the GPS system that was part of the engine control system as a possible target for hackers.”
No instructions required
Another example that illustrates Kupev’s “weakest link” and “user-friendly” principles involves payment terminals with a system that required service personnel to have special cards to activate the terminals’ service mode.
Since staff kept losing the cards, the company simply turned off the card function and allowed service access without card authentication, exposing the system to serious security threats.
“There are a lot of ‘side entrances’ into systems and devices that people assume are secure but which may not be that secure,” he says.
“We help identify holes in clients’ systems so they can see where the design needs to be improved and then we propose how they can fix it.”
Kupev believes both companies and consumers need to take greater responsibility for ensuring devices are secure and that sensitive data remains safe from hackers and other cyber-threats.
“The arrival of the Internet of Things means that more people need to be aware of what sort of data can be exposed,” Kupev explains. “There are simply lots more devices connected in new ways that are producing more data that can provide a lot of insight into our daily routines.”
First and foremost, companies need to do more to make setting up security features foolproof for the most technically illiterate consumers.
“The key is creating systems and instructions that are easy to follow so that people can set up devices and have control over what data those devices create and how that data is used,” he says.
“You have to make devices user-friendly so everyone can get the setting right even without an instruction manual.”