The Internet of Things (IoT) is set to revolutionize our world and is already having a significant impact in many areas of our day-to-day lives. But what exactly do we mean by the IoT, and why is it so important that it is secure?

In short, the IoT can broadly be described as any thing that is connected to the internet, but is increasingly being used to define technologies which connect to each other through sensors and networks and make things happen.

The possibilities for the use of IoT-connected devices and technologies are almost endless, and businesses are continually looking for new ways to create an ever more connected world. A recent report suggested that 14.2 billion connected things will be in use in 2019 and the total will reach 25 billion by 2021.

Examples range from the fairly mundane, such as sensors which allow lights to be switched on and off, to smart watches and driverless cars, health monitors and the commonly cited “smart fridge”, which might one day allow for delivery by drone of grocery supplies without the consumer even having to write a shopping list.

All of these developments provide the potential for boosting efficiency, improving user experiences, and even saving lives. However, there are risks associated with the proliferation of devices that capture our data and are increasingly interconnected.

Three ways in which the IoT poses risks

Firstly, the proliferation of internet-connected devices means that users’ personal data can be combined together in new and powerful ways.

While this can be useful in terms of enabling improved customer experiences, it also means that the companies who have access to this data (and those who might want to steal it) can learn a huge amount about individuals’ behaviour through potentially innocuous devices.

For example, the routes your autonomous car travels, the contents of your fridge, and the data from your smart watch, can all combine together to reveal a powerful picture of an individual’s life.

While this can be used for marketing purposes, or indeed to suggest improvements to an individual’s daily life, it can also be a route in for those who wish to manipulate someone’s behaviour.

But IoT devices don’t only enable potential hackers access to individuals’ data and habits. They also provide a route in to undermine the very architecture of the internet.

In 2016, a botnet was created which took advantage of a huge number of IoT devices by effectively scanning the internet to test for those devices which had default usernames and passwords. The devices then became infected with malware called Mirai, which became part of the largest DDoS (distributed denial of service) attack ever, leading to vast portions of the internet becoming inaccessible, including Twitter, CNN and Netflix.

Thirdly, the risks posed by IoT devices rise even higher when we start to envisage “smart cities”, where the digital ecosystems of whole cities are interconnected. Here, the risks move from being privacy-related to potentially posing physical threats. For example, we have already heard about autonomous cars being affected – maliciously or not – and the risks will only increase as the online and physical world become increasingly intertwined.

Building in global standards by design

In order to fully harness the potential of the future of these devices, governments and manufacturers have started to put their heads together to come up with a new technical architecture to enable the security of connected devices without hampering the consumer experience or adding too much additional cost and process.

Various initiatives are underway to help secure consumer devices and to incentivize the producers of these devices to ensure security is an integral part of their design. A set of principles for how to secure consumer IoT devices were recently endorsed by the European Technical Standards Institute (ETSI), which builds from a UK code of practice for IoT security published last year.

The ETSI specifications set out that the three main criteria to look out for in buying internet-connected devices, which should help protect against a large number of attacks, are as follows:

  1. Ensuring that devices are not pre-set with passwords that expect to be changed by the consumer, but that are unique. This would have helped prevent the Mirai attack and removes the onus on the consumer to change passwords.
  2. That companies which produce internet-connected devices and services should provide a point of contact so that issues can be reported. This allows companies to be able to respond and fix any issues.
  3. That software updates or “patches” to connected devices should be easy to implement and timely. This ensures that software glitches, which could provide a weakness for an attack, can be corrected if needed.

California has also become the first state in the US to pass a specific IoT cybersecurity law, which specifies certain measures that must be taken by manufacturers to secure devices.

There is still a long way to go in ensuring that the IoT can be secured to protect the future benefits of the 4IR, but the collaboration shown by this recent work is a positive sign.

The World Economic Forum is working on a number of initiatives to capitalize on the benefits of IoT and ensure they can be harnessed safely and securely. The Forum’s Centre for Cybersecurity will be working with public and private sector partners in order to build on this work and help ensure that the full benefits of our connected future can be secured.

Why global collaboration is needed to protect against a new generation of cyber threats

The internet is a vastly complicated patchwork of protocols, data and codes, which only a limited number of true tech geeks really understand. And yet it pervades our day-to-day lives on a scale no one could have envisaged when the world wide web was created only 30 years ago.

New technologies and applications are arising at a dizzying speed, and it’s not only consumers who are trying to keep pace with the array of new offerings at their disposal. Security professionals are also trying to keep up with the implications of new devices and their uses, and to ensure that they cannot be turned against their users or put to use for malicious purposes.

At the same time as defending against the misuse of new technologies, the fundamental technical architecture of the internet itself appears to be increasingly under threat from those who wish to seek new ways to attack and undermine it.

In January this year, the US Department of Homeland Security issued an ‘emergency’ security alert which urged federal civilian agencies to secure the login credentials for their internet domain records. This went largely unnoticed by mainstream media, but in fact it raises some serious questions about the future security of the underlying architecture of the internet. In follow-up reports, Microsoft estimated that attackers have “already caused hundreds of millions of dollars in damages by stealing secret data and wiping information from the computer networks of 200 companies over the past two years”.

What is DNS and why does it matter?

When we want to visit a webpage, we type in an address such as www.weforum.org (otherwise known as a domain name). Behind the scenes, a system called the Domain Name System converts this name into a series of numbers called an internet protocol (IP) address that allows computers to identify each other and, via domain name servers, to map the name you have typed onto an IP address.

Without this system, it would be pretty complicated to find our way around the internet – the DNS is therefore a fundamental part of the internet’s architecture. The management of the DNS is coordinated and managed by the Internet Corporation for Assigned Names and Numbers (ICANN), which is a global, multi-stakeholder and not-for-profit organization which seeks to ensure the stability and security of the DNS.

This is no easy task, and as the recent security alert demonstrated, is one which is becoming increasingly challenging. This is due to the fact that some malicious actors have started to manipulate the domain name system by hijacking some internet traffic and rerouting it to potentially malicious IP addresses. This is commonly known as a ‘man in the middle’ attack. These attacks are often used for example to redirect consumers to fake banking websites and to fraudulently obtain money or data, such as login details, from unwitting consumers.

Three ways in which the global community can help secure the internet

Whilst it raises some serious questions about the security of this core element of the internet, all is not lost. There are already technologies in place which can prevent this type of attack, but the challenge is in ensuring that they are properly implemented. ICANN are running a series of collaborative events to discuss how to better secure the DNS and other fundamental elements of the internet’s core architecture. Three things which can be done are:

Internet service providers can implement DNS security measures by default to ensure that the internet traffic they carry is correctly routed. This has the potential to protect millions of customers.

Businesses should ensure they have implemented basic security measures, and demand that their communications providers also have DNS security in place, as well as features which enable secure e-mailing.

Hardware providers also have a role to play in building in DNS security, which can help prevent attacks being launched through vulnerabilities in the hardware itself.

The security of the internet is only as strong as its weakest link. It is in the interests of both public and private sectors to work together to ensure that they get the basics right and to shore up the security of the internet for the good of all. Here at the World Economic Forum we are committed to supporting ICANN’s work to support DNS security and to making the internet safer for everyone.