IoT and Security – Same as always, only more so.

Posted on by

Chuck Martin over at MediaPost recently wrote an article with some interesting insights on consumer perspectives on IoT. While there are a boxful of statistics, the ones that jumped out were:

  • 14% of consumers surveyed think they are knowledgeable on IoT security
  • 90% think that security is something that should come standard with whatever they purchase.

So here is the issue. It’s easy to have top of mind awareness about security when you’re dealing with a device that is in your face (literally) all day. The primary operating context that most people think of for IoT is their phone (the average adult checks their phone over 200 times per day). It’s easy to recognize the risk associated with a compromised device that’s used hundreds of times per day, particularly when the device requires focus on the part of the consumer.

IoT is different. The whole point of IoT is that you don’t think about it. When was the last time you had a meaningful exchange with your toaster? Or the fuel injection system in your car? Technically your phone is a “thing”, but it’s a communications thing, an information thing, a thing that makes you feel naked if you don’t have it. So the other variable to consider is what is the class or level of thing that surveyed consumers are thinking about?

To paraphrase George Orwell, “all things are created equal, but some are more equal than others”. The more equal things are the things we use transactionally; phones, smart watches, smart glasses (if that ever manages to take off), the common thread here is these are things on our person. The less equal things, which far outnumber the more equal things, are the myriad sensors and RFID tags that are embedded in everything and now number in the multiple billions. Those are the things that are an invisible swarm in our daily lives, and the more of them there are, the more we’re going to come to depend on them. The more we depend on them, the juicier the target becomes for some nefarious jerk to try and mess with it. So it doesn’t even need to be something as overt as taking over a phone. It could be turning every stoplight in a city green at the same time, or causing a pipeline at a refinery to blow a gasket and trigger a “shelter in place” scenario, or shutting off smoke detectors in all public schools, the list is endless, and ranges from inconvenient to deadly.

And just to make it a bit more complicated, what happens when “things” stop working (assuming you even notice)? Right now, if, for example, your PC (also a thing) goes down, is it the PC, the OS, the app, your router, your WiFi, or your service provider? You can rest assured when you ask who’s at fault they will all point their fingers at anything but themselves, and this is an obvious example. What happens when a non-obvious thing goes off line or is compromised?

14% of consumers are knowledgeable about IoT security? I seriously doubt that. I have yet to meet a genuine expert in IoT security (just like I have yet to meet an actual “genius” at an Apple store), and I’ve been in this space since its inception.

There is a whole new level of cross-domain capability needed to address security for this type of technology ecosystem. The operating framework is so broad and complicated, this is going to fall into the purview of major technology companies who will then use it to push their own solution as a standard. Sound familiar?