"Internet of Things" Devices Have Their Security Risks. How Regulators Should Address Them.

COMMENTARY Cybersecurity

"Internet of Things" Devices Have Their Security Risks. How Regulators Should Address Them.

Jan 4th, 2018 6 min read
COMMENTARY BY
Riley Walters

Research Associate

Riley is a Research Associate at The Heritage Foundation.
"Internet of things" devices are revolutionizing basic features of modern life, but not without security risks. iStock

Most Americans own some sort of “smart” device, whether it’s a smartphone, a smart thermostat, or a smart fitness tracker.

These devices are benefiting Americans in countless ways, from helping them become more energy-efficient, to saving money and even tracking their health.

But many of these devices can also pose a security risk to unsuspecting consumers. It’s up to consumers to decide whether the sticker price is worth the personal risks from these “internet of things” devices.

Every year, The Heritage Foundation publishes papers highlighting some of the most significant cyber incidents involving both the public and private sectors. This year’s papers include a list of cyber incidents that involve the interconnected devices.

These devices extend beyond just the desktop computer and begin to combine real-world information with data analytics and automation. Internet of things devices include heating, ventilation, and air-conditioning systems; baby-monitoring devices; automatic transportation services; and other office and home devices.

These devices continue to multiply in number, given their utility and relatively low costs. By the year 2021, 73 million households in North America are forecast to be a “smart home” or contain some smart device other than smartphones.

>>> Understanding the Internet of Things

The purpose of this list is to highlight everyday devices that consumers might not have realized had become connected, and the risks that can pose.

Still, regulators should remain wary of imposing new rules that harm the development of internet of things devices. Consumers’ demand for these devices will continue to drive investments in both markets for cheap devices with poor security, and markets for expensive, secure devices.

Increasing the cost of devices through burdensome regulation might impede the creation of all new devices. Congress should be content that within these markets, assuming equal costs, consumers will naturally tend toward buying devices that are more secure.

Internet of Things Devices at Risk

Wireless Routers: Wireless routers have become the common connecting device between consumers, wireless devices, and the internet. However, if manufactured with poor security, hackers can find ways to access almost any devices that are connected, such as a desktop computer or smartphone.

The Smart Fish Tank: A smart fish tank—used to monitor and automate features, such as water temperature—was reportedly used to breach the networks of a casino. Hackers were then able to use the access they gained to siphon information from the casino’s networks.

Wireless Pacemakers: Instead of risking patients’ health by putting them back under the knife during complications, manufacturers are opting for safer, wireless connections to these devices.

A trade-off is made between the physical risks of surgery with the potential risks of a cyber incident. Pacemakers with poor security are at risk of being tampered with by malicious cyber activity. In August, the FDA recalled 465,000 pacemakers it identified as having a cybersecurity vulnerability.

The Smart Car WashCar wash owners may find it appealing to control their systems over the internet, but vulnerable systems could be taken over by hackers to cause physical damage to both vehicles and their passengers.

Internet Security Cameras: These devices are great for monitoring office security or for checking who’s at the front door. However, poorly protected internet-enabled security cameras can be accessed by hackers to spy on unsuspecting families.

Internet-Connected Toys: Parents who travel or have limited interaction with their children could see the appeal in being able to have a conversation with their child through one of these devices. This appeal is quickly lost once hackers are able to hear personal conversations or deliver their own messages through these fuzzy creatures.

Smart Lightbulbs: These devices let consumers change the lighting throughout their homes with the use of an application on their phone.

It’s a nuisance if hackers are able to turn the lights on and off without consumers’ consent, but a larger problem comes from these interconnected devices and malware being able to jump across them, spreading like a virus.

Smart Meters: These devices could be used by hackers to collect information on homeowners, mess with the electricity, and even increase the monthly electricity bills.

Solar Panels: Like smart meters, solar panels connected to the internet are potentially at risk from being targeted by hackers. Dutch researchers found vulnerabilities that could allow hackers to control the flow of electricity and potentially affect local power supplies.

Consumers should be cautious what information their new devices collect and how that affects everyday life. But policymakers must also be concerned about the risks these devices would pose when unified in a single cyberattack, often referred to as a botnet attack.

Last October, Dyn, a New Hampshire-based computer firm whose specialty is providing the means to access websites through its servers, was temporarily taken offline by a botnet attack known as Mirai.

Mirai created a botnet from internet of things security cameras, DVRs, and routers. Attempting to access Dyn’s services all at once, the overload of traffic was too much for Dyn.

A German internet service provider was temporarily taken offline a month later by a similar attack, which used a variation of Mirai.

Mirai was able to scan the internet for internet of things devices and use a pre-configured list of 61 common passwords to take control of vulnerable devices. A list of 1,700 common internet of things passwords used by manufacturers has been leaked online since.

Advancing Innovation and Security

New technology can seem complicated and, therefore, scary. To protect both consumers and producers of internet of things devices, Congress should take the following steps:

  1. Promote third-party security researchers. Third-party researchers, and even cybersecurity firms working on behalf of tech companies, are important for finding security flaws in new devices. Greater knowledge of security flaws enables consumers to make safer choices. Congress should promote the necessary services these individuals and companies provide. 
  2. Recognize that the markets of internet of things devices are diverse. The market for internet of things devices as a whole is still relatively new. For the foreseeable future, even within the markets for devices such as security cameras or wireless routers, demand will continue to exist for cheap, unsecure devices and expensive, secure devices. Congress should recognize the diversity in these markets and avoid restricting consumers’ choices.
  3. Limit government regulation on internet of things security. In the wake of a cybersecurity incident, Congress is quick to come down heavy-handedly to impose new regulations on companies. These regulations are often quick to become out of date and impose more costs on companies than actually benefit consumers.

The government should focus on making sure its own systems are secure before attempting to impose security regulations on others.

The internet of things and other emerging technologies will be beneficial for American consumers, even as they give rise to threats that are not currently foreseeable. Congress should avoid attempting to solve potential problems with slow and static regulations.

This piece originally appeared in The Daily Signal