The Internet of Things (IoT), the umbrella term for any connected device, represents one of the largest potential business opportunities for established companies and upstart entrepreneurs alike. In the next 5-10 years, we will see 50 billion new devices connect to the internet. However, we will also see exponential growth in costs related to cyber-crimes, if devices continue to be as insecure as they are today. So before we put smart devices in every home, let us first rethink the fundamentals of IoT security.
The recent attack on the DNS system leveraging the Mirai Botnet showed that attacks using insecure devices are becoming a serious threat to the services and systems connected to the internet. And Mirai evolves - it’s like an openly available weapon that can be used and adapted to new needs. What makes Mirai and the attack on the DNS system special is, that the owners of infected devices that carry out an attack don’t even notice that their devices are involved in an attack. And this leads to the major problem. Neither manufacturing providers, nor suppliers or owners of those devices have a significant incentive to invest in securing these devices, because their financial benefit remains unharmed and damages are externalized.
Executives and entrepreneurs need to implement measures that safeguard others from potentially harmful actions of their devices - and they have to be rewarded if they do so. This is why the IoT requires a paradigm shift from focussing on device security to preserving the safety of others.
During our previous academic research in cryptography and our current professional work in running wattx, a company builder working on the Internet of Things, we have been confronted frequently with the challenges of security in hardware, specifically connected devices (hardware with the ability to send data to the internet). But these issues are not predominantly linked to the startup world. Our parent company Viessmann, a 100-year-old industrial family business, is wrestling with similar challenges in their core business. They are building smart climate devices (think smart thermostats, connected boilers, or supermarket cooling cabinets). And they are not alone. Almost all larger industrial companies are either building or planning to build their own “smart” devices.