This post is also available in: heעברית (Hebrew)

Industries are beginning to adopt Internet of Things (IoT) technologies in unprecedented scopes. However, security concerns continue to threaten IoT’s progress. A study by security company Gemalto, for example, found 90 percent of consumers lack confidence in the security of IoT devices. Nearly two-thirds of IT professionals surveyed by security vendor Pwnie Express said they had more misgivings about device threats in 2018 than they had the year before.
It seems inevitable that in 2019 IoT security will command more and more government attention. With international tech research firm Gartner predicting the number of connected things to reach 20.4 billion by the end of the decade, the attack surface is growing exponentially. Yet the public is largely unaware that connected devices can be used to attack other devices, and the industry hasn’t done enough to address device security. The combination makes it likely legislators and regulators in capitals around the world will feel it necessary to intervene.
In a report, Gartner is quoted describing what it calls “disturbing trends” in IoT, including “product and service vendors are paying little attention to scenario- or vertical-specific requirements for IoT security” and “technical standards and frameworks for IoT security are almost nonexistent or beta editions.”
To date, however, companies have faced little concrete legal obligation to build stronger security into devices. It’s still common for devices to ship with hard-coded passwords or passwords that hackers can figure out and exploit too easily. Most consumers aren’t even aware of this vulnerability.
Recently a few new laws and regulations have been passed, such as a California law requiring manufacturers of any devices that connect to the internet to include “reasonable” security features, including unique, user-set passwords for each device. Some security experts, however, have criticized the law as too weak. Well-known consultant Robert Graham wrote, “it’s based on the misconception of adding security features. It’s like dieting …. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add ‘security features’ but to remove ‘insecure features’”. It will be interesting to see just how aggressively governments push, stronger laws? Or gentler approaches, like the United Kingdom’s government website that provides a voluntary code of practice?
Strong action may be required to get the industry’s attention. A major IoT security incident, of course, would add urgency to the situation, but to date there hasn’t been one that has attracted international attention in the same way as high-profile attacks on retailers, social media sites, government agencies and others in recent years.
In what’s considered an internet first, cyber attackers in September 2016 forced well-known security journalist Brian Krebs to take down his site, after hijacking hundreds of thousands of cameras and other internet-connected devices to overwhelm his site with traffic. The attack made international headlines, but it was more than two years ago. It could have been a tipping point for new regulation, but that didn’t happen.