Could your kettle bring down the Internet?

One problem is that, unlike PCs or smartphones, many of these devices are meant to perform their tasks without drawing attention to the fact they are really computers. They’re designed to be turned on and left to do their job with minimal human interaction. Yet one of the reasons people often run security checks and discover malicious software on their PCs is because they start to run more slowly or with minor errors. Internet of Things users are less likely to notice similar problems and have fewer options for determining what the problems is if they do.

Similarly, most Internet of Things devices are not able to automatically update their core software, something that is commonplace and expected of PC operating systems and smartphones. Instead the devices require manual updates often with quite complex procedures. So it is common for their security software never to be updated.

Network solutions
In order to fix these security problems, the tech industry needs to move from the current development process of building simple devices to designing better security measures into the basic systems. We’re probably more likely to see change happen faster if lawsuits damage the reputation and profits of Internet of Things manufacturers and force them into adopting better security measures.

One way to do this would be to limit devices to communications within the home intranet rather than permit direct access to the global Internet. These could be run and protected by a data management device, such as the Databox, that would act as a gatekeeper between the Internet and the home and would be easier to monitor and update. It would provide an extra level of security that would be especially useful for older devices that no longer receive software updates.

Another approach would be to design more bespoke software instead of running generic versions of the free, open-source Linux operating system. The recent attack appears to have exploited a vulnerability in the “BusyBox” software that was based on Linux in this way.

While there is nothing wrong with using open-source software, manufacturers should really use it as a starting point for creating a tailored system including only the features that are actually needed for the device. All software has vulnerabilities that will eventually be discovered and require patching. The more features the software has, the larger the code is and the more chances there are for vulnerabilities to be discovered before they are patched.

As long as cybersecurity problems seemed to only affect Internet of Things device users, most people have been willing to accept the risks of simple, insecure design for the sake of rapid innovation. But now the threat of attacks from botnets has made Internet of Things cybersecurity an issue for all Internet users to worry about. It is time for developers to grow up and take responsibility for their designs or risk interference from regulators.

Ansgar Koene is Senior Research Fellow, Horizon Digital Economy, UnBias, University of Nottingham. Derek McAuley is Professor of Digital Economy, University of Nottingham. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).