Hot on the heels of news reports about Amazon employing thousands of staff to listen to Alexa voice recordings, the World Economic Forum has published its own view on the security risks of Internet of Things (IoT) devices.
In a blog post by Amy Jordan, Delivery Lead at the WEF’s Centre for Cybersecurity, the organisation says that securing the IoT will be critical to the success of the Fourth Industrial Revolution (4IR).
Publication follows news that proposed US legislation to prevent unauthorised audio recordings by IoT devices has been watered down, after lobbying by powerful vendor group the Internet Association.
With forecasts of 25 billion or more connected devices being online by 2021, Jordan says that there are “significant risks” associated with the proliferation of systems that capture our data and are increasingly interconnected.
There are three ways in which the IoT poses risks, she writes. First, the sheer number of interconnected devices means that users’ personal data can be combined in new and powerful ways, to create the fabled ‘single view’ of a customer, perhaps.
While this may be useful for enabling improved customer experiences, it also means that companies that have access to this data (or individuals who might want to steal it) can learn a huge amount about someone’s behaviour through potentially innocuous devices.
“For example, the routes your autonomous car travels, the contents of your fridge, and the data from your smartwatch, can all be combined to reveal a powerful picture of an individual’s life,” she says. “While this can be used for marketing purposes, or indeed to suggest improvements to an individual’s daily life, it can also be a route in for those who wish to manipulate someone’s behaviour.”
But IoT devices don’t only allow hackers access to individuals’ data and habits; they also provide a route in to undermine the very architecture of the Internet, she warns – as evidenced by the spread of the Mirai botnet in 2016.
Third, the risks posed by IoT devices rise even higher in smart cities, Jordan suggests. “Here, the risks move from being privacy-related to potentially posing physical threats,” she writes.
At a Westminster eForum conference on smart cities in February, a number of speakers from both private and public sectors expressed the view that smart city advocates have for too long focused on the technology, and not on the critical factor: people.
Theo Blackwell, the Greater London Authority’s Chief Digital Officer, said, “A smart city is one that looks at how we embed the principles of service design in what we do, how we use data better, and how we engage with the wider ecosystem. So a smart city is not a thing, it’s a process.
“One of the dangers with a lot of smart-city talk about ‘platforms’ and ‘big data’, is that [it creates the impression that] it’s one approach for a city. But I don’t think that speaks for, or is desirable in, a city as diverse and different as London.
“What we really need is data. And new organisations, new institutions, to deal with the data economy that’s all around us, to mobilise it for civic benefit, and ensure that we can face the future.”
Blackwell was one of several speakers to say he no longer uses the term ‘smart city’ as he believes it is unhelpful.
One mechanism for rebalancing the debate would be to use the UN’s Sustainable Development Goals (SDGs) as a design framework and set of ethical principles, suggested Dr Rick Robinson, Digital Property and Cities Leader at building services provider, Arup.
But technical solutions are needed too, writes the WEF’s Jordan in her blog. “Various initiatives are underway to help secure consumer devices and to incentivise the producers of these devices to ensure security is an integral part of their design,” she says.
A set of principles for how to secure consumer IoT devices was recently endorsed by the European Technical Standards Institute (ETSI) – one that builds on a 2018 UK code of practice for IoT security by design.
The three pillars of that guidance are:
- Ensure that devices come with unique preset passwords, not simple ones that the manufacturer expects a user to change.
- Companies that produce Internet-connected devices and services should provide a point of contact so that problems can be reported. And,
- Software updates or patches should be easy to implement and timely.
Hardly an unreasonable set of demands, but not easy to achieve when countless manufacturers – many of them in China – are rushing low-cost devices onto the world market to capitalise on consumer demand.
So can legislators step deeper into the breach? California has become the first state in the US to pass a specific IoT cyber security law, adds Jordan, who concludes, “There is still a long way to go in ensuring that the IoT can be secured to protect the future benefits of the 4IR, but the collaboration shown by this recent work is a positive sign.”
The WEF says that it is “working on a number of initiatives to capitalise on the benefits of the IoT, and ensure they can be harnessed safely and securely. The Centre for Cybersecurity will be “working with public and private sector partners in order to build on this work and help ensure that the full benefits of our connected future can be secured,” it says.
Be part of a discussion and connect with like-minded leaders in your sector at our forthcoming trade event – The Sensor Show – next year.