Who takes responsibility for IoT security?

Owners of smart homes should take equal responsibility for IoT security with the manufacturers of smart appliances, according to a statement by the FBI

In the US, in an recent statement, the FBI has made it clear that responsibility for Internet of Things (IoT) security lies with the user as much as with the manufacturer.

In a public notice, the law enforcement agency notes that “as more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the internet also increases the target space for malicious cyber actors.”

Vulnerable devices listed include:

  • Automated devices which remotely or automatically adjust lighting or HVAC.
  • Security systems, such as security alarms or Wi-Fi cameras, including video monitors used in nursery and daycare settings.
  • Thermostats.
  • Wearables, such as fitness devices.
  • Lighting modules which activate or deactivate lights.
  • Smart appliances, such as smart refrigerators and TVs.

A report by ZDNet’s Zero Day security blog, however, highlights that there are still “many issues relating to the security of IoT devices [which lie] squarely on the shoulders of the vendor.”

This includes updates and security patches, which the report says are often out of date.

According to the author: “This is something that vendors must get on top of. Connected devices – whether it is a remotely unlocking car or a smart thermostat – may look pretty and work well, but as IoT popularity increases, security can no longer be left on the sidelines.”

While the notice by the FBI did provide some practical advice for consumers to follow, an interesting questions to consider is: With whom should the responsibility for IoT security lie?

Charlie Osborne, author of the article, believes: “Yes, there is a certain amount of responsibility users must take.

“When updates are available for your devices, you should update immediately – as we see time and time again, outdated software often equals vulnerable software. However, it is one thing to remind users to update their software and another to place full responsibility on their shoulders.”

She continues, “perhaps the FBI’s next public announcement should be related to vendor responsibility — such as enforcing changes to IoT device default passwords at setup in an easy way — rather than assumptions based on the technical capabilities and knowledge of the average household.”

IoT security market

According to Markets and Markets, the IoT security market is expected to grow from US$6.89 billion to US$28.90 billion by 2020.

This could be because, according to Terrence Gareau, chief scientist at Nexusguard, in an article published on CSO Online, “by its very design, the Internet of Things is built with lightweight security.”

“These devices rely heavily on shared libraries and a rapid development cycle. Because of their constraints, many IoT devices have limited options for firmware upgrades and other risk management features. The fact that they are also “always-online” makes them highly susceptible to intrusion and attacks.”

To this end, Toshiba has announced today that it will be partnering with Intel to “reinforce the security capabilities of its IoT and industrial infrastructure system products by adopting Intel’s security products, including Intel Security Critical Infrastructure Protection (Cip), security information and event management (SIEM), whitelisting, endpoint security and firewall.”

In a release by Toshiba, and widely reported in the IT media, “the collaboration will protect Toshiba’s customers’ data and businesses from emerging cyber threats, with a main focus on the industrial infrastructure sector, including energy, transportation and healthcare.”

“Cyber threats have become a major concern that are causing industrial companies to hold back their transition to IoT,” said Shigeyoshi Shimotsuji, Corporate Vice President and Executive Vice President of Toshiba’s Industrial ICT Solutions Company.

“This collaboration allows Toshiba to benefit from Intel’s latest security technologies and deep experience and will boost the security capabilities of our industrial infrastructure solutions. It is a positive move that will bring peace of mind to customers and support them in further advancing their IoT businesses.”