Can You Assess IoT Devices Risk?
This post is also available in: 
עברית (Hebrew)
The Internet of Things (IoT) ecosystem includes a broad variety of devices and device-systems such as power plants, vehicles, home appliances, etc. Its global market size is expected to grow from USD 170.57 Billion in 2017 to USD 561.04 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 26.9%, according to marketsandmarkets.com.
Attend iHLS conference on IoT !
But what is the risk entailed in the use of IoT devices? There seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks.
Irrespective of how they are marketed, smart devices like Amazon Echo, Amazon Key, Google Home, etc. are “Lifestyle Products” aimed at improving convenience – how necessary these products are depends on how meaningfully they integrate into one’s lifestyle.
According to arstechnica.com, whether it is “worth” compromising some security/privacy to reap the conveniences offered by these products is a very personal and subjective decision. In some cases there is genuine improvement to one’s quality of life (e.g. voice assistants are quite useful for people with certain disabilities), but in other cases, these Internet-connected-products just add to the number of avenues that could be used to compromise one’s security (these “avenues” are formally called attack vectors).
So how do we decide what products are “safe?” In other words, what is “acceptable risk” in the tradeoff between security and convenience? Clearly, there are no “right” (or standard) definitions here, but until we decide on what these things should mean in this context, we will always come back to the same debate every time a new Internet-connected-product is released.
Further, risk assessment in the IoT ecosystem is fairly complicated owing to, among other things, the non-homogeneity of the underlying platforms. Given this scenario, there is little value in defining/adopting the same terminology and risk assessment metrics for an Internet-connected-speaker for domestic use, and a wireless-sensor for crop monitoring. In other words, although there is the unifying theme of all these IoT devices being connected to the Internet, threats associated with “Internet Connected Lifestyle Products” need to be visualized differently.
Given the fragmented nature of this Internet Connected Lifestyle Products ecosystem, there is no objective, generalized way to definitively determine what level of risk is “acceptable” except to analyze each case where security would be compromised for convenience and determine what trade-offs would be acceptable for each user in each of these cases. At best, we could group similar cases and give some general best practices, but this is not nearly enough given how some of these devices can catastrophically compromise one’s security (often due to suboptimal/erroneous risk assessment).
The leading conference in Israel on IoT from the security perspective will be held on December 25th, 2017. The IoT 2017 Conference and Exhibition is organized by iHLS which specializes in homeland security, with the participation of the leading experts and industries of the Security IoT ecosystem in Israel and abroad.
Booth/sponsorship/lecture: [email protected]
