Several security experts have been pointing out the dangers posed by Internet of Things (IoT) devices which are too vulnerable in terms of data sharing and, thus, may endanger the lives of users. Now, the Japanese government has decided to undertake penetration tests against all the IoT devices in their country to figure out what is insecure and help consumers secure these 'smart' devices.
In February 2019, Japanese authorities would test password security of over 200 million IoT devices, starting with routers and webcams. Devices in people's homes and on enterprise networks will also be tested. Many citizens are calling this unnecessary, especially for password security. But, as we all know, password is, often, the weakest link in the electronic world and makes all smart devices and people vulnerable to frauds.
As I had explained in my article “Internet of Things: A Frankenstein?
, 28 Apr-11 May 2017), IoT is the inter-networking of physical (smart) devices, vehicles, buildings and other items embedded with electronics, software, sensors, actuators and network connectivity, that enable these objects to collect and exchange data.
The ‘things’, in the IoT sense, refer to a wide variety of devices, such as heart-monitoring implants, bio-chip transponders, electric clams, automobiles with built-in sensors, DNA analysis devices and field operation devices that assist fire-fighters in search & rescue operations, to name a few.
Everybody loves to flaunt their new gadgets. However, a majority are not even aware of the security and safety issues involved. IoT devices are one such example. The main reason being that all IoT devices available in India are ‘tiny computers’.
There are three inter-connected aspects which define IoT: sensors, processors to analyse and actuators. In other words, sensors are the eyes and ears, smart processors are the brain and actuators are hands and feet of the IoT. This is the classic definition of a robot. Unfortunately, none of the IoT devices has any embedded security measure or offers it as add-on.
IoT devices, such as cheap webcams, mobile phones, medical devices, smart-watches, anti-theft devices, drones and routers, are not designed with security in mind. The main reason is that these devices are produced on a mass scale, mostly in ‘copy-past mode’ rather than through research and development (R&D).
In addition, programme codes need constant monitoring to keep an eye on vulnerability and take immediate measures to rectify it. Often, manufacturers have no time and resources to pay attention on program codes; this ultimately ends up in poorly written codes for their IoT devices. This leads to user vulnerabilities.
As per reports, earlier this year, Spiral Toys, which sells CloudPets, the Internet-connected teddy bears that allow parents and kids to exchange messages, was found exposing the credentials of over 800,000 of its customers and two million messages.
In October 2016, a botnet, made up of about 100,000 compromised gadgets partially knocked off Dyn, an Internet infrastructure-provider. Taking down Dyn resulted in a cascade of effects that, ultimately, caused a long list of high-profile websites, including Twitter and Netflix, to temporarily disappear from the Internet.
In 2018, researchers at the Princeton University found several popular IoT devices sharing user information with third parties without the knowledge of the user. The user may not even know which companies or third parties are receiving her personal information from IoT devices, whether the IoT device has been hacked, or whether devices with always-on microphones are listening to private conversations.
Many of us, who love to flaunt such IoT devices, find it as a thing of convenience and, thus, are ready to sacrifice privacy and security. One such example is close circuit TV (CCTV) cameras, which are being promoted as security measures across the country. However, without real-time monitoring and knowing and controlling who is accessing the data, CCTV is just a show piece or, sometimes, a device to identify criminals after the incident.
Unfortunately, such lack of awareness and knowledge about IoT devices creates a big opportunity for data hungry corporates to measure, collect and analyse and ever-increasing variety of behavioural statistics.
With increasing production and usage of IoT devices, we are turning ourselves into miniscule parts of a gigantic robot that is getting smarter, more powerful and gaining capabilities, through the inter-connections we are building, without any real control or regulation.
This is where the Japanese government has shown a willingness to at least understand the issue. As far as India is concerned, the less said the better. Neither the ruling politicians nor the bureaucrats who, effectively, are running the system, have any interest in safety and security, especially for electronic devices and gadgets.