Will security concerns handicap IoT devices?
In a letter that began, “Dear Target, Walmart, Best Buy and Amazon,” 11 privacy advocates recently urged the retail community to stop selling internet-connected devices that don’t meet minimum security requirements.
As an example of related risks, the letter pointed to the 2017 CloudPets breach, when connected teddy bears exposed 2.2 million voice recordings made between parents and their children.
“It is estimated that by 2020, 10 billion IoT products will be active,” wrote the group, led by Mozilla. “The majority of these will be in the hands of consumers. Given the enormous growth of this space, and because so many of these products are entrusted with private information and conversations, it is incredibly important that we all work together to ensure that internet-enabled devices enhance consumers’ trust.”
The letter arrives as a number of studies attest that many IoT devices, from industrial sensors to webcams, televisions and other smart home devices, have little or no security. And while the damage from credit card breaches has led to surprise charges on billing statements, hackers of IoT devices may gain access to video feeds, conversations, an individual’s location in real time, their health data and more.
In December, a hacker took over a California family’s Nest camera to broadcast audio warnings about a North Korean missile attack. Some high-level concerns include devices coming from China being used to spy on Americans. IoT devices have also proven vulnerable to botnets, when hackers send vast amounts of spam mail to disrupt websites.
By all indications, makers of IoT devices have little incentive to improve security with no uniform regulations and still little apprehension from consumers.
Surprisingly, a survey from security provider Gemalto found that a wide majority of makers and users of IoT technology are looking to legislators for more robust guidelines on security. Almost half (48 percent) of the makers were unable to detect if their IoT devices were breached.
The 11 privacy advocates urged five minimum requirements: using encryption for all network communications, on-by-default and automatic security updates, the use of strong passwords for remote authentication, a vulnerability management program maintained by the vendor and the inclusion of a privacy policy.
- This Valentines day all we want is products that meet minimum security standards – Mozilla
- IoT security is so bad, many companies can’t tell when they’re hacked – Fast Company
- Almost half of companies still can’t detect IoT device breaches, reveals Gemalto study – Gemalto
- ‘Internet of things’ or ‘vulnerability of everything’? Japan will hack its own citizens to find out – CNN
- New Study Highlights IoT Security and Privacy Flaws in Popular Off the Shelf Devices – CPO Magazine
Discussion Questions
DISCUSSION QUESTIONS: Will breaches of IoT devices likely become more or less of a headache for retailers in the years ahead? What, if anything, should retailers be doing now to address the situation?
Poll
BrainTrust
Nikki Baird
VP of Strategy, Aptos
Cathy Hotka
Principal, Cathy Hotka & Associates
This is an issue, but it’s more of an issue for product manufacturers than retailers. Ultimately, they are the ones who consumers will blame when things go wrong with security or privacy. That said, I think retailers have a responsibility to vet the products they sell and warn consumers about potential deficiencies or concerns.
I disagree. When you’re on a plane and the Wi-Fi doesn’t work, you don’t get irritated with the Wi-Fi service or onboard router. You get irritated with the flight attendant.
Within the IT team and the business at large, yes the manufacturer or service provider is the responsible party. To the public at large, it’s the retailer. (Think the Target breach of 2015 – most customers don’t even know that a system breach with the HVAC system (IoT) is to blame.)
The reality is that IoT security breaches are coming hard and fast. Because of what my company does, I’m biased. There is an easy answer – segmenting data streams so that none of them interact within the broader network or WAN is the only viable way of doing this (currently).
There’a big difference between Wi-Fi on a fight – which is an integral part of the experience and is offered by and often co-branded by the airline – and buying a third-party branded device from a store. Yes, Target or Best Buy may sell you the Amazon Echo or Nest device, but they don’t control the service thereafter. Nor is it co-branded with their name. As such, the consumer will primarily blame the provider of the service for any issues.
This is exactly what happened with the recent Apple Facetime flaw: no one blamed the store where they bought their iPhone for the problem (unless it was an Apple store!), they blamed Apple itself.
Of course, if the retailer is offering the service – such as Best Buy is doing some areas – then they will inevitably shoulder some of the blame.
The Target data breach was also different. This wasn’t about products people had purchased, it was data customers had given to Target being hacked. True, it may not have been Target’s fault but the intrinsic link with the company made it the responsible party in the eyes of many consumers.
We’re addressing two different IoT issues retailers need to be prepared to face — and that’s on me. I answered the question incorrectly.
To your point, you’re right — product manufacturers will be held responsible for IoT devices that are purchased through retailers. No doubt. If you get a mouse head in your sealed cereal box, you’re going to call Kellogg, not Kroger.
To my point, retailers who are employing IoT in their footprint (photo kiosks, self-pay, lockers, in-store WiFi, loyalty hubs, etc.) will be held accountable for the security and breaches through IoT devices. The Target breach is a major IoT security breach where the retailer was held responsible — but not of a product customers purchased. That’s the difference.
Security and privacy breaches of any kind will be a headache for retailers. The lack of confidence the customer will have for the retailer that can’t keep their info, data, recording, etc. secure will cost a retailer business. It’s that simple – and that important.
Talk about the Wild, Wild West! Every day, customers are deploying devices that then report back to the manufacturer and third parties, often without the customers’ knowledge. Organizations like EPIC that look out for consumers should engage with retailers to help them understand the risks and be transparent with customers.
It will become a headache when consumers show up with the device haphazardly shoved into the box, with receipt in hand, to say “This device got me hacked. I want my money back.”
Retailers don’t want to be in the business of regulating IoT devices, and on the surface I don’t blame them. But retailers also want to benefit from the services they can garner by offering things like smart home implementation help. If you’re going to offer services around IoT, then you’d better have your act together about which devices you are willing to sell and support – because if you help consumers implement IoT that has security holes the size of manholes in the street, then you’re going to be perceived as complicit in those holes.
And what a value-added service – “we’ve tested and verified that all of the devices we sell meet these 10 minimum security standards, so that you can buy from us with confidence.”
Unfortunately, most retailers prefer to abdicate any responsibility. I call it “ships passing in the night syndrome”: retailers expect the tech vendors to take care of it, and the tech vendors expect the retailers to demand minimum expectations from them, and when neither do, then consumers are the ones who lose.
This does not have to be a problem. The situation creates an opportunity for companies to provide a certification method to the manufacturers of the IoT devices just like all electrical devices sold in the U.S. have to be UL approved, or else. Caveat emptor!
Typically, situations like this tend to affect the manufacturer more than the retailer, however retailers are definitely at risk, not just because consumers may think they need to vet the products they sell, but they will have to deal with additional handling costs for returns if a big breach happens with a particular brand. I see a third party coming in soon to get traction in the ubiquitous security of IoT devices and running away with huge profits selling subscription services to protect the consumer regardless of device.
Consumers already know the benefits of IoT devices, but most are not yet considering the potential downside of lax security. When consumers are made aware of the vulnerability, it will likely change their perception of value.
The impact on retailers will most likely be a reduced usage of IoT devices for automatic ordering from the devices. If you can’t be sure that the device is secure, do you really want it able to charge your credit card?
Consumers are ignoring privacy common sense in exchange for cool, smart home IoT. Frequent data breaches of baby cams and Alexa devices are not resonating yet. While device makers and retailers play a role in the adoption of IoT devices, consumers, willing participants, are creating demand. There will be a “tipping point” of incidents jolting consumers into a frenzied backlash against “listening” devices in the home and office. Retailers must be prepared legally for the inevitable. Consumers must be told when purchasing an in-home IoT device, privacy is not guaranteed.
Both retailers AND manufacturers need to heed the voice of consumers. Not unlike online missteps, brick-and-mortar cannot simply point to the manufacturers for guilt. Today’s shopper expectations will hold retailers accountable — not to the same degree as the manufacturers but guilty nonetheless. As retailers offer more managed services, this accountability will increase exponentially. These devices still require installation and integration with the consumer’s home IP network and as such interface and security issues will abound. The recent discovery, and lame admission/excuse from Google, that their device had an integrated microphone shows the nefarious potential of these devices. Ever since getting involved with video analytics technology 10+ years ago, I’ve had a post-it covering the camera lens on my laptop.
I think we’re going to see some serious shake-up in the IoT sector with certain standards and regulations being adopted to try and create a minimum level of security across all products. Ultimately this comes back to the IoT product manufacturers – they need to be thinking seriously about the security of their devices. It’s not enough now just to throw the ability to connect to the internet into any product going. If customers don’t feel secure in their purchases it may cause a slowdown in adoption, and even see people who have got IoT devices returning them. This is where it becomes an issues for retailers, especially those who have got into smart homes in a big way. An impact on sales, and an increase in returns, does not make for good business. And while the manufacturer may be at fault, retailers will be the frontline for customer complaints. Customers may even question why a retailer sold them a device that wasn’t secure which could impact the ongoing relationship.
IoT security may be the new security issue that eclipses credit card and personal data issues of the recent past. With the explosion of IoT devices and chipped products and no clear security standards enforced, it is a big issue for manufacturers of IoT devices, consumers and the retailers that sell to them.
Retailers selling these devices should be leery of unknown brands and larger retailers will likely develop IoT security teams to screen products they sell to consumers. Retailers should enforce their own standards to avoid the potential lawsuits that this technology is sure to generate.
This will be an interesting issue to watch.
Multiple pieces of research point to the fact that the three biggest barriers to IoT adoption are unclear business cases, difficulty connecting to existing infrastructure and security concerns. These things are holding retailers back with their investments more than in any other industry. There are multiple examples of IoT focused initiatives in production where security and privacy could potentially be a much bigger concern (smart cities, manufacturing, connected insurance devices). These projects are already generating incremental revenue and enabling real change for the companies who have taken the initiative.
Retailers need to learn lessons from these projects and the precautions they have taken to deal with the concerns.
Of the initiative examples where security would be a concern, one thing they all have in common is that they focus on using technology and connectivity that would be trusted by a communications provider because it meets their requirements in terms of providing carrier grade levels of security.