The Internet of Things, as a collective term, encompasses almost infinite permutations of connectivity between devices, some with human intervention, others existing purely in a machine-to-machine (M2M) environment. The promise of a connected future has enormous implications for all aspects of our lives, but there are great risks along the way.
This week it was announced that a bipartisan group of U.S. senators plans to introduce legislation seeking to address vulnerabilities in IoT devices. The bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Sponsoring senators promised that the intention of the bill is to “take the lightest possible touch” with reasonable steps that would enable rather than limit growth.
But is even a light touch too heavy-handed for this nascent market?
The fear is real — according to researchers from Checkmarx, there are nearly two dozen vulnerabilities in the more than 1.3 million of two models of IP cameras in use today, with 200,000 models located in the United States. “As our initial scans came to an end, we reached the conclusion that if your (Loftek and VStarcam) camera is connected, you’re definitely at risk. It’s as simple as that,” Checkmarx researchers wrote.
In an example from last year, the Mirai IoT botnet hijacked insecure webcams, digital records and other everyday devices to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify. This was a DDoS attack, using IoT devices as the attack vector. However, the devices and the network themselves are likely to evolve as targets as the value of the data they carry increases.
The Internet of Payments
The natural reaction to this news might be to unplug all internet-connected security cameras, refrigerators, home speaker systems and more. That may be too extreme a scenario, but even a less drastic approach could have dire consequences for connected commerce.
IoT will only increase in value as it becomes more pervasive, as detailed in a recent Aite Group report. The networking effect in itself will increase the value of the IoT, but so will the actual information payload, particularly as it pertains to transactional information. Aite highlights IoT use cases in manufacturing, energy and utilities, health care, retail, government, mobility and telecommunications. In short, the IoT will also be the IoP — the Internet of Payments — and as such, will invite malicious access for fraud or other criminal purposes.
Luckily, the payments industry has some experience in walking this tightrope between draconian controls and open access (for good and bad), and many of the learnings made through steps and missteps from credit and debit cards, e-commerce and m-commerce, mobile banking, payments and wearables have been iterative and incremental.
There are existing controls such as PCI DSS and 3-D Secure that have been battle tested, and we are already well on the way to mass usage of robust forms of authentication such as biometrics that set a precedent for IoT security measures. Inevitably, there will be widely publicized failures of IoT and associated consumer losses, but in many respects, this is already the norm with data breaches being a part of doing business.
IoT is more of the same. Just a lot more.
It will therefore be imperative to ensure safety and security for IoT to flourish, but there will be a fine line between sensible checks and balances to build trust in this new network of devices and a heavy-handed approach that could easily stifle innovation. In its infancy, the trajectory that IoT takes in the future is going to be defined by decisions made today.
A cautionary tale
It’s worth noting, that over-regulation can have unintended consequences on an industry as fickle as payments, even if self-imposed.
The ill-fated Merchant Customer Exchange (MCX) mobile wallet, CurrentC, failed for a number of reasons, but not least its own rules that prohibited merchant participants from accepting any alternative form of contactless payment. Those that abided by the rules were left out of the early days of mobile wallet adoption for Apple Pay and eventually Android Pay and Samsung Pay — CVS and Rite Aid went so far as to shut off their NFC readers, blocking rival wallets that they previously accepted.
Thus, when major retailers like Best Buy finally adopted Apple Pay, it was seen less as an expansion and more as a defection. The shackles were off, and the market chose a different path than MCX's self-appointed "regulators." As for the CurrentC wallet, it never made it out of pilot.
In this case, the damage was reversible, as participants needed only to wait out their exclusivity agreements or drop CurrentC in favor of a rival. If the rules came from the government, they would be much harder to roll back.
Pessimism or prudence?
This is not to say that some restraint is unwarranted. A recent IBM report on IoT Security flagged some common-sense assumptions regarding the IoT, setting a number of “basic facts” around connected devices that serve as warnings all should heed —
- Devices may operate in hostile environments
- Software security will degrade over time
- Shared secrets do not always remain secret
- Weak configurations persist
- As data accumulates, exposure issues may increase
There will be an estimated 20 billion to 30 billion connected devices by 2020, according to a number of sources, which makes IBM's assumptions regarding IoT security somewhat pessimistic. But we can overcome them if we are prepared. Online banking endured a phishing epidemic in its earlier days, and grew to be a necessary channel for interaction. IoT could do the same, provided its risks do not scare off potential innovators.