The Internet of Things (IoT) — the trend toward embedding computer-enabled sensors into other products — offers a massive potential for data and analysis, but it introduces massive vulnerabilities as well that businesses must prepare for.
“Putting a computer into everything turns the whole world into a computer security threat,” said Phil Harris, an intellectual property attorney with Holland & Hart, which recently held a talk on the subject.
More than 30 billion IoT devices are predicted to be available by 2020, Harris said. Already, there have been a number of security incidents where such devices acted as a vector for an attacker, ranging from the casino that got hacked through an internet-enabled aquarium thermostat to a Nest baby monitor where an intruder threatened to kidnap the baby.
Part of the problem is that the market is so hot for these devices that developers aren’t taking the time to include security in them from the beginning or patch vulnerabilities as they appear. In addition, some vendors don’t do a good job aggregating or anonymizing the data they generate and store, making it easier to track information belonging to individuals, Harris said.
The IoT can be used to hack into a company’s network in a variety of ways, for instance, using them as a denial of service vector or flooding the devices with too many requests. “Man in the middle” attacks pretend to be a legitimate IoT device and use it to record data. Another approach utilizes malware that breaks into the network via the IoT system.
Laws have been passed in California, scheduled to take effect next year, that promulgate regulations requiring security features for internet-connected devices. While Idaho doesn’t have such laws, manufacturers will need to develop security features for their products so they’ll comply with California laws, and that would help Idahoans, Harris said.
The IoT Security Foundation publishes a list of best practice guidelines, but they boil down to planning, allocating resources, training personnel, dynamically monitoring the devices, reacting quickly to issues and solving problems such as vulnerabilities, Harris said.
In a related issue, Harris also discussed autonomous vehicles. Currently, autonomous vehicles aren’t legal to even be tested in Idaho, though a number of neighboring states, particularly Nevada, are on the forefront of autonomous vehicle technology.
A working group on autonomous vehicles held three meetings over the summer and recommended that the Idaho Legislature implement testing at least, but no legislation was brought forward at the most recent legislative session. Gov. Brad Little has not yet indicated whether he plans to re-form the committee or provide any other support for autonomous vehicles, such as through an executive order.
Part of the challenge is the chicken-and-egg problem of whether to enact policy first or wait for the technology, Harris said. It’s difficult to enact policy without knowing how people will use technology, he said. And much of the policy is only peripherally related to the technology. For example, if an autonomous vehicle has an accident, who’s at fault?
Driverless vehicles could cost as little as 20 cents per mile, compared with $1.50 per mile for a driver-enabled car, thanks to improved safety and driving efficiency, as well as not having to pay a driver, Harris said. While there is currently a lack of truck drivers, autonomous trucks would put the drivers Idaho does have out of work, he said.
Once Idaho realizes how much the rest of the nation is working on autonomous vehicles, state lawmakers will fall in line, Harris predicted, noting that Idaho-based Micron, through its Virginia subsidiary, is developing products for autonomous vehicles.
“Every vehicle will have a terabyte of data stored on it,” he said.