Security should be the default in IoT devices because our current state of affairs is only asking for disaster.As extensive research in both cybersecurity and the behavioral sciences tells us, most people, given a set of options, will stick with the default choice. Thus, most IoT “users,” whether everyday consumers or a federal agency, likely won’t change default passwords; they likely won’t change the encryption settings; they likely won’t look into the device’s security at all. They are insecure because the provided, default settings are insecure. If we break this down further, there are many reasons for this fact. Behavioral economics and decision heuristics account for some of this “complacent” behavior and “status quo bias,” but it mostly comes back to a lack of education on technology and cybersecurity. Since most of the people purchasing and using these devices aren’t aware of these security problems – let alone how to fix them – the devices are left unsecured, and hackers can easily break in. By changing the defaults, however, we can drastically improve IoT security – and play to people’s biases in a way that makes everyone safer. It’s time we change the state of IoT (in)security:
Technology LeadersPressure IoT manufacturers to strengthen device security. As soon as you purchase devices for your company, check their encryption standards, change their default passwords, and don’t put them online until you rigorously penetration-test each individual device (e.g. with buffer overflow attacks). Work with policymakers to write compliance guidelines that make security the default – and continuously speak with them about new security techniques as they’re developed; if policy is to stop falling behind technology, we need better communication across channels. When developing organizational security policies, expect IoT insecurity. Purchase additional software to secure IoT devices, minimize network overlaps whenever possible (i.e. don’t connect a water system to a power grid), and encourage your peers to do the same. And collaborate with educators to bring the public, and the leaders of tomorrow, up to speed.
PolicymakersWrite regulations that makes IoT security the default. Require device manufacturers to use industry-grade encryption, to implement essential hardware security features, and to use strong default passwords that are different for each device. Consult industry experts – both development- and management-level – to understand cutting-edge hardware and software security techniques, and then integrate them into your standards. Continuously speak with these technology experts so your policies don’t fall behind (which in today’s world, can happen very quickly). Implement checks and balances that ensure compliance on all fronts. Reach out to educators and work to increase technology “literacy” among citizens. And always keep learning – because it’s vital that all policymakers understand technology.
EducatorsDraw attention to IoT insecurity. Educate yourself on the Internet of Things and important cybersecurity jargon, and then spread that knowledge to others. Advocate for general technology education in public schools rather than just coding classes – and if you are a technology instructor, make IoT and cybersecurity a part of your curriculum. Encourage students to explore these ideas on their own, and provide resources to that end. Work with policymakers to support students going into cybersecurity. Speak to tech about best preparing future generations for our promising and dangerous cyber world, and try to close any gaps between tech education and tech “reality” that may exist. IoT is insecure and everywhere, and its presence is growing. The time to act is now.