The internet of things has expanded to include an increasing number of everyday objects, from app-controlled household appliances like coffee makers and smart refrigerators to voice-controlled virtual assistants built into speakers. The internet of things describes a variety of physical devices that gather data through sensors and communicate wirelessly. For example, driverless cars collect and process large amounts of real-time data to safely navigate traffic. However, the ubiquity of these devices raises the risk of cyberattacks that could jeopardize privacy and safety—unless regulators and manufacturers ensure proper cybersecurity protections.
The security risks of networked devices
What makes wirelessly connected devices so vulnerable? The rapid adoption of low-cost devices that forego robust security systems has led to an estimated 70 percent of all internet of things devices carrying flaws such as unsecured software and unencrypted communication systems. For instance, Johnson & Johnson recently warned users of its OneTouch Ping insulin pump that hackers could use it to deliver a fatal dose through its unencrypted radio communication system. Similarly, a hacker can deliver a high-voltage electric shock through a pacemaker by rewriting its software.
Internet of things devices also serve as entry points to a network, so attacking one can compromise an entire network of connected devices, potentially stealing sensitive personal information along the way. Moreover, hackers can also control a group of compromised devices to carry out a distributed denial-of-service (DDoS) attack that overloads and shuts down entire websites, such as last fall’s Mirai botnet attack against Netflix, Reddit, Twitter, and other tech companies. And with the research firm Gartner predicting over 20 billion devices in the internet of things by 2020, any unsecured ones will present an even greater threat to internet networks moving forward.
The issue of cybersecurity extends more critically to driverless cars. These vehicles rely on many internet of things devices to communicate with other vehicles, so a security breach in one car can easily compromise multiple vehicles. While the commercialization of autonomous cars may be years away, increasing public-private partnerships for security research now is crucial given the increasing number of cars undergoing trial tests on the road every day.
A framework for internet of things cybersecurity
The Senate recently introduced The Internet of Things Cybersecurity Improvement Act of 2017 to establish security standards for devices sold to the federal government. The bill would mandate all vendors design products that can update software and passwords, conform to industry security standards, and have no known security vulnerabilities. Although the bill only addresses vendors selling equipment to the government, commercial markets should consider adopting the same security guidelines. Agencies could also enlist the help of non-governmental organizations such as the Institute of Electrical and Electronics Engineers in certifying and rating the security features of internet of things devices.
Securing billions of vulnerable devices poses a great challenge. Currently, more than 20 federal agencies—including National Institute of Standards and Technology, National Highway Transportation Safety Administration, and Department of Homeland Security—have adopted guidelines with recommendations for manufacturers on how to approach internet of things security. To offer better regulatory clarity for developers, Congress should establish a baseline privacy and security framework for all devices that balances innovation with consumer protection. Individual federal agencies can then suggest industry best practices to address the different levels of risk associated with various environments like power grids, health care, and transportation. Ultimately, greater collaboration between industry experts and federal agencies will yield regulations that guarantee the safety of the internet of things.
Jeffrey Wirjo contributed to this post.