illustration: internet of things appliances connected to a secure network

While the promises of IoT are undeniable, the market also faces a number of problems that are just starting to surface, leading companies to directly address them. Internet of Things security is barely starting to be a subject on the mainstream consciousness.

Over at the Shanghai Mobile World Congress, a group of more than a dozen mobile operators from around the globe committed themselves to using the IoT Security Guidelines provided by GSMA, the company behind the event. Writing for Mobile World Live, Joseph Waring reported that AT&T, China Telecom, China Unicom, Deutsche Telekom, Etisalat, KDDI, Orange, Telefónica, Telenor and Telia have all agreed to adopt “a comprehensive security assessment scheme to ensure IoT services are protected against security risks.”

According to GSMA’s estimations, IoT connections will reach a staggering 3.1 billion by 2025. That’s not so far ahead, so it’s clear that for the industry to achieve optimal prosperity, a few actions must be taken as soon as possible. Mainly because the threats are already upon us.

Internet of Threats

Over at Wired, vulnerabilities in the IoT sector were exposed when journalist Lily Hay Newman published an article titled “A long-awaited IoT crisis is here, and many devices aren’t ready.” In it, she describes a critical flaw present in a networking protocol called Universal Plug and Play, which helps commercial devices like routers and printers to discover and communicate with each other. It’s an essential function for IoT, but one that presents many problems.

Flaws in UPnP were discovered a long time ago by researchers, though it all remained in theory and no one could demonstrate that they were actually being used maliciously. Until recently.

Security intelligence response team Akamai was responsible for the discovering. Senior engineer Chad Seaman explained that that they wondered how many vulnerable devices were out there, since most people seemed to have to forgotten about it. The discovery was worrying: 4.8 million devices on the open internet showed irregular activity. Of those, about 765,000 “also had a secondary implementation issue that created a bigger network communication vulnerability.” Furthermore, 65,000 of those showed direct evidence that attackers had injected malicious commands into them.

That shows the real problem: many of these devices are already out there. UPnP vulnerabilities have always been around, but only until recently were they exposed. Until now, the industry hasn’t taken Internet of Things security seriously, though perhaps that’s about to change.

Fighting the chaos

One of the main reasons these vulnerabilities are so hard to track is because every device is its own world. Meaning, most companies use proprietary software that doesn’t adhere to a common standard. Even if manufacturers use some of those standards, they can implement them in different ways.

That’s what GSMA wants to fight, and that’s why so many companies have already committed themselves. “For IoT to flourish, the industry needs an aligned and consistent approach to IoT security,” expressed GSMA CTO Alex Sinclair. “Our guidelines encourage the industry to adopt a robust set of best practices that will help create a more secure IoT market with trusted, reliable services that can scale as the market grows.”

However, concerns still remain. On a panel at Shanghai MWC, Frédéric Donck (MD, European Regional Bureau, Internet Society) said: “GSMA has plenty of the best practices, but we need Internet of Things security assessments too. Confusion and mistrust are the big issues—what happens when your daughter’s doll automatically connects to the internet?”

That is certainly a scary proposition, one that could take place an infinite number of times if we’re not careful. It might be that IoT is expected to hit billions of connections in the next decade, but for Donck, something is pretty clear: “The total IoT figure, however many millions or billions, will not be realized if security fails.”