IoT devices often fall short in terms of security. Stricter regulations must better protect consumers against unsafe products.
More and more everyday products like watches, cameras, or doorbells are getting smart variants. These digital products are connected to the internet and thus form a completely new network, also called The Internet of Things (IoT). Smart devices are popping up like mushrooms, but often lag behind when it comes to security.
Pieter-Paulus Vertongen, CEO of Aaltra, and Erik Van Buggenhout, co-founder of NVISO, warn against the proliferation of cheap, poorly secured devices without ‘security by design’. They emphasize the importance of European regulations that must protect consumers against unsafe products.
From showers to car tires
The Internet of Things (IoT) is a broad concept. Vertongen describes IoT as “all products that are connected to the internet”. At first, we think of smart devices like watches, cameras, or doorbells, but IoT appears in the wildest products. “There are smart showers, ovens, but also car tires with chips that are connected to the internet,” says Van Buggenhout.
Security lags behind
Although many of these smart products are intended to make our lives easier, we often don’t consider their digital background. “IoT lags behind what you generally see in IT infrastructure security,” Vertongen begins. According to him, this is due to the high investment costs to provide IoT products with security.
Moreover, such devices have limited hardware. “If you want to run security protocols on them, they also need to be strong enough”, Vertongen states.
Hacking for the 90s
Because security is often lacking in digital products, they are an easy target for cyberattacks. “The vulnerabilities within these digital products are usually elementary. You could compare it to using simple passwords, like “admin-admin”“, points out Van Buggenhout. “These systems are deployed on a large scale in botnets.” The consequence of this are, for example, DDoS attacks or the spread of malware.”
IoT is still in the pre-GDPR era.
Pieter-Paulus Vertongen, CEO of Aaltra
Moreover, IoT devices continuously collect data such as location, temperature, or times of presence. “Users often don’t know exactly what data is being collected and where it ends up,” says Vertongen. “According to GDPR legislation, it must be made clear what happens to your data.” “With IoT, we are clearly still in the pre-GDPR era.”
read also
Many companies do not regularly update privacy training
Car without brakes
Vertongen and Van Buggenhout both advocate for a security by design approach. “It’s too complex and often expensive to build in security afterwards.” Van Buggenhout illustrates this with an analogy. “I compare it to a car. A car has brakes, not to make you drive slower, but so that you have the courage to drive faster.”
“Are you in a car without brakes? Then you won’t drive fast. So, to fully utilize the car, you need good brakes. When you have a car with a powerful engine but no brakes yet, you might come to the conclusion that you need brakes to drive fast. Can you still integrate that into the car? Probably, but it’s not easy and moreover, it costs a lot of money.”
Proliferation of chips
Many IoT products on the market do not meet cybersecurity requirements, mainly because they need to be cheap and functional, without attention to security by design during development. According to Van Buggenhout, this leads to a proliferation of poorly secured devices, where chips are built into various applications without adequate security. The ease of production further exacerbates this problem.
Bird for the cat
To protect consumers against unsafe products, a European regulation has been created that imposes minimum requirements on manufacturers. “The Cyber Resilience Act is intended to prevent unsafe or hastily assembled IoT products from entering the market”, states Vertongen.
Companies that launch products without the ability to update them remotely are sitting ducks.
Pieter-Paulus Vertongen, CEO of Aaltra
“There are companies that launch their products without the ability to update them remotely. In that case, you’re a sitting duck.” Without updates, devices can pose a persistent risk once they are in use.
Security label
In America, they are taking it a step further to increase consumer awareness. The Cybersecurity Trust Mark is a US initiative that aims to provide more transparency to consumers and businesses regarding the security of digital products. “You could compare the label to an EPC or energy label, but for cybersecurity”, Vertongen explains. Currently, the label is not yet implemented in Europe or Belgium, but Vertongen and Buggenhout are already convinced of its added value.
read also
The blind spot of IoT: how safe are smart devices?
“Consumers often unknowingly buy vulnerable IT products because they cannot assess the risks,” says Vertongen. Moreover, a universal label would ensure fair competition. “Companies that invest more in security would consequently be rewarded for it.”
“It’s unfortunate that customers today are not sufficiently informed about how secure a product is”, Buggenhout says. “I’m convinced that consumers are willing to pay more for a product they know is secure.‘’ Currently, they are not adequately informed.”