The Insecurity of the Internet of Things

 Posted by Marion BachrachWe depend increasingly on electronic devices – not just our phones, but our cars, medical devices, home alarm and surveillance systems. In our communities, we rely on traffic lights, power grids and water supply. These devices are labeled as “smart” when they are connected to the internet.  But a 55-page report by the Federal Trade Commission (FTC) reflects that while the Internet of Things (IoT) presents extraordinary opportunities to use “smart” technology to improve cities, transportation and healthcare, it also presents increasing risks to the public when devices can be hacked. Those risks are not only financial in nature; some pose threats to personal safety; and some, such as internet-connected jet engines on airplanes and drills on oil rigs, could present potential threats to mass safety.According to the FTC, the IoT is now estimated to consist of roughly 25 billion objects connected to the internet. That number is expected to double in the next five years.Recent articles note that automobiles can be hacked and remotely controlled by electronic intruders. One team of research hackers caused brakes to fail and transmissions to stop functioning while a driver was in the car.  Many models studied were top-tier, expensive cars. The FTC report takes note of this problem.The report describes hacking into insulin pumps to render them dysfunctional. It also cites the danger posed by unauthorized access through internet-connected cameras and baby monitors.The FTC report takes the view that IoT-specific legislation is premature, reasoning that the IoT is in a relatively early stage and there is great potential for innovation. Instead, the FTC reiterates its prior recommendation that Congress enact strong, flexible, technology-neutral legislation to strengthen existing data security enforcement and notification tools on a federal level. It further recommends self-regulatory industry programs with a focus on guarding against hacking, misuse and breach of privacy, and implementation of best practices for security measures and training, including implementation of access-control measures. Among best practices, it endorses “security by design”, meaning security should be built into an IoT product at an early stage and at each stage of development. It also encourages companies to adopt a vigorous approach to monitoring devices during their life cycles and to patch vulnerabilities as they become known.The FTC report  is available at: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf