Hunt for a Safer IoT

The number of devices that fall under the umbrella of the “Internet of Things” has grown dramatically in the past few years. We can have networked cars, thermostats, kitchen appliances, and wearable fitness trackers, all of which are connected to the internet and collecting data about our habits and lives. According to recent figures, “6.4 billion connected things are in use worldwide in 2016 and will reach 20.8 billion by 2020.”

While the IoT offers increased convenience and better utility from the kinds of machines we use every day, it doesn’t come without its risks. Generally there are two main categories of security threats that come from IoT. The first is a device being used in a way it’s not intended, such as when a baby monitor becomes an eavesdropping device for someone outside the home. The second is when a device is used in a way that it is intended, but for a bad outcome, such as a car used as a giant bowling ball to knock down giant pins. Both of these cases, as Forbes points out, are instances of “Hackers [coming up] with ways to use devices that were never conceived of before.”

It would be wrong to suggest that these threats are unknown. In fact, it’s pretty common knowledge that there are major security concerns surrounding IoT. The problem is that those conversations tend to happen amongst tech experts and journalists, rather than the consumers who are actually using the products. One tech expert Troy Hunt recently jested on Twitter that a solution could be putting a warning label on IoT devices, just like we do with cigarette packaging. While he may have said this in jest, he raises a good point: Whose responsibility is it to inform consumers about the risks surrounding the networked devices that are meant to make their lives better, not more high risk?

To further his point, Hunt actually took the extra step of creating mockups of these warnings. On an ad for cars, he added in large text: “You acknowledge and agree that the API key used to remotely control features of this vehicle may be printed in the windscreen of your car for all to see.” Similarly, on an ad for connected smart toys, he wrote: “This is a listening device for kids: You acknowledge and agree your child’s intimate voice recordings may be placed in an unsecured Amazon A3 bucket and the Mongo DB behind the app may be public facing without a password.”

Of course, few people would happily use a product that came with those labels, and that is exactly the point that Hunt appears to be making. We don’t allow medicine, cigarettes or other potentially dangerous products to be sold to consumers without warning labels affixed to them, so why should we allow IoT manufacturers to extol the benefits of using their devices and appliances without clearly disclosing the risks associated? The logic goes that if manufacturers were obliged  to include warning labels, they might think more deeply about the risks associated with those products.

By many accounts, IoT is now at a tipping point from being niche to mainstream. Before it gets there, manufacturers need to take responsibility for improving the vulnerabilities of their devices, or clearly disclosing the risks. As Mashable put it: “There are steps that both companies and consumers can take to make sure their security cameras don’t end up crashing Twitter (or worse). Whether those steps will ever truly secure IoT products is unclear, but they’re at least enough to provide the smallest glimmer of hope in an industry otherwise devoid of much positive news. And it’s a good thing, too, because without that hope the ecosystem is pretty much screwed.”