Is that smart light bulb spying on you? Connecting household objects to the Web – the “Internet of Things”, or IoT for short – holds amazing promise and is spawning new applications all the time. In the world of IoT, light bulbs turn on automatically while you’re at home and turn off when you leave. A smart pet-food dish feeds your cat while you’re on vacation. Smart thermostats (like Google’s Nest) adjust heating or cooling when you’re away to save energy. Smart home-security cameras answer nagging questions, like whether you remembered to turn off the stove. IoT is catching on in enterprises, too.
Yet the promise of IoT turns surprisingly ugly when it comes to security, particularly in the business world. Consider the rogue light bulb example above. Let’s imagine a corporate office installed this bulb to cut its energy bill. To accomplish that, they’re using the bulb’s sensors to track motion in and out of the office: when everyone goes home, the light bulb turns off.
But IoT is so new that users often aren’t aware of all the sensors these devices include, and the ramifications they may have for privacy. That same light bulb in our example above may be able to record video and audio, for example. (Such a smart bulb, equipped with a camera and a microphone, was actually shown off at last year’s giant CES electronics trade show.) The manufacturer may have activated all those sensors by default, and nobody at our energy-conscious enterprise switched them off. The bulb is connected to the Internet, and – unlike laptops and smartphones – lacks a standard security protocol to protect the data it collects. In one scenario, an ill-intentioned hacker, using the search engine Shodan, could find this vulnerable IoT device, open the unprotected the video / audio feeds, and voilà : You’re on Hacker Candid Camera.
Why can’t we use everything we already know about information security to protect the Internet of Things? There are two big reasons. First, IoT manufacturers need to adopt a standard protocol, like SSL in e-commerce, to make these devices consistently secure. Computers and other devices in the enterprise communicate with servers and with each other via the standard TCP/IP framework. In contrast, IoT devices currently employ hundreds of protocols including ZigBee, Thread and MQTT, to name a few, which makes them more vulnerable.
And since IoT devices, especially things like light bulbs or thermostats, are so small, it’s difficult for them to handle complicated software updates and patches, compared to more-powerful computers or servers. IoT devices are also usually built with proprietary hardware and custom software. This all makes it more challenging to manage these devices, push frequent updates, and enforce access control.
Second, cyber-security threats themselves are changing. Cyber-thieves used to attack a company externally, trying to breach a security perimeter. They’d detect an outside vulnerability, write a “signature” or snippet of code to block against that threat, and repeat ad infinitum.
But as perimeter-security software has dramatically improved, the bad guys have switched their approach. Now savvy cyber-thieves don’t waste time attacking a well-fortified perimeter. Instead they aim at the boring, everyday network activity happening inside a company’s walls – like smart light bulbs automatically turning on and off. This data is so boring and extensive that most companies don’t even store it, let alone analyze it for suspicious patterns. So that spying light bulb could record every sensitive conversation happening in your CEO’s office for years before anyone notices.
The surprising new hero in this security frontier is artificial intelligence. Powered by the computing speed afforded by cloud computing, new AI-enriched security tools monitor enormous ream of internal data in real-time, producing prioritized signals that humans then investigate further. Some of those signals may not be actual threats, but a handful of them will be. Security execs can them move speedily to address real threats, while feeding the results of those efforts back to the machines. That’s how AI-based cyber-security tools get smarter over time, producing fewer and fewer false positives with accelerating speed. Securing “endpoints” no longer stops after a user logs into an application; instead, the device is monitored continuously after that to detect new threats.
Between six and 15 billion IoT devices are already connected, and the pace will only quicken. By 2020, Gartner predicts we’ll top 20 billion web-connected “things”. In that same year – just four years from now – Gartner expects more than 25% of enterprise security attacks will involve IoT. But currently enterprises are investing only 10% of their security budgets to deal with this growing threat.
So many Web-connected devices mean the potential “attack surface”—the landscape of devices that could potentially be exploited–is expanding quickly. But the app economy that will grow up around IoT devices makes the security threat mind-bogglingly bigger. To wrap your mind around this, consider your iPhone. Millions of people have purchased this device since it was introduced in 2007 – but the iOS apps that render the phone useful have become exponentially more numerous than the devices themselves.
More IoT apps and devices means this interconnected network will touch people, and increasingly companies, in multiple ways—so expect more action by enterprises to secure themselves as IoT proliferates.
This post originally appeared in Forbes here.