Security Concerns Loom as IoT Devices Proliferate, Attendees at CES Told
LAS VEGAS -- Amid well publicized reports of IoT security breaches and privacy concerns about big data, consumers still show a willingness to share private information, said speakers on a privacy and security panel during Parks Associates’ Connections Summit at CES Wednesday. Consumers say privacy is a burning issue, said Parks analyst Brad Russell, but “they’re not that concerned because they keep checking that terms of service box.”
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The highest level of concern about privacy and security is about PCs and tablets (42 percent) and smartphones (41 percent), said a Parks survey of 10,000 U.S. broadband households. Family safety devices including door locks and garage door openers followed closely behind at 40 percent, but respondents didn’t show nearly the same level of concern about fitness devices, Russell said: “For all the concerns about HIPAA [Health Insurance Portability and Accountability Act], consumers aren’t nearly as concerned about health and fitness device security as they are about other connected devices.”
Consumers have shown they’re willing to trade privacy for incentives, said Russell. A third of consumers said they’re willing to share data to solve device problems. For connected CE devices, one in five respondents would be willing to share device data to get discounts on related products and services. Russell referred to a “tension” between the level of concern and data-driven value propositions, where consumers voluntarily agree to a “win-win” scenario, he said.
At Zubie, which sells broadband service for the connected car, concerns over privacy are “overwhelming and paramount in the absence of proven value,” said Navin Ganeshan, head-product. Getting customers to share data was an “absolute challenge” until the company showed them the benefits of sharing, he said. Ganeshan said insurance companies use telematics data to underwrite policies and tailor policies using that data. Three years ago, a poll showed 35 percent of consumers would consider a data exchange for an incentive. That jumped to about 74 percent now, he said, due to marketing and awareness that data is valuable and can benefit the consumer with lower premiums.
Intel Chief Consumer Security Evangelist Gary Davis noted the contradiction in consumer attitudes toward data sharing. Intel research has shown consumers respond with an “overwhelming yes” when asked if they value privacy and security. But they’ll turn around and post data from a fitness tracker on social media. “They don’t think about the downstream implications of what they do,” Davis said. A slight discount for a trip to a favorite retailer is enough for some consumers to share more data, he said. Device usage among many consumers "forgoes any sense of what it means to use them in a secure, private way,” he said.
Consumers generally trust that manufacturers have taken steps necessary to protect them when using their products, said Sami Nassar, NXP Cyber Security Solutions vice president. But Intel’s Davis said “unfortunately, that’s not the status quo.” In the hyped IoT market, many device makers are rushing to market "at the expense of sensible security,” said Davis. He cited a Hewlett-Packard study last year of the top 10 devices employed in the home. It found the devices on average had 25 vulnerabilities "of the type that no security practitioner would launch with those types of issues.”
Cisco Product Line Manager-Connected Home Steve Gorretta compared the state of the IoT market with the early days of PCs: “It was like the Wild West,” where companies quickly wanted to monetize devices. He predicted more cybersecurity threats in the IoT mirroring those of PCs that led to the rise of the antivirus software market. Not all device companies treat security responsibly or are capable of envisioning potential hacks, he said.
Even if security is baked into a product at launch, security threats change, said Verimatrix Senior Vice President-Marketing Steve Christian, and many certificate hierarchies emerge after products have deployed. Open-source code presents new threats, so companies have to think about device integrity and security across the whole IoT ecosystem beyond day one, he said. IoT devices makers have to maintain security over the course of time, issuing secure updates when necessary. That’s part of a product’s added value and will help consumer confidence in a product and brand, he said.
Some panelists saw the potential for security to be a product differentiator and possibly even a source of revenue. Christian cited conventional door locks. “'How strong is a door lock' has been a mechanical question for a long time, he said. The question in the IoT era revolves around how secure a smart door lock is against a hack rather than its defense against brute force.
Liability could also play a role in device makers' attention to security, especially in the connected home where not just one player is involved, said Nassar of NXP. “In the case of catastrophe, who’s paying for this?”
Before marketing security as a differentiator, said Ganeshan, IoT device makers need to be sure they have security in place. “Given the state of where most IoT vendors are right now, they’re better off on focusing first on making it an absolutely base requirement before they consider marketing themselves around it,” he said.
On how much device makers should be investing in security, Ganeshan said “the higher the wall the better.” One thing that’s helping the market is the element of “guerilla watchdogs” in the industry. “It’s rare that you have an IoT product out there for more than a year that someone has not attempted to break," he said. "That’s actually a good thing,” he said, calling out active hackers looking to find vulnerabilities. "White hat" hackers' breaches give companies a chance to react and fix security threats, he noted.
Christian called companies’ security efforts “an arms race.” From day one when a product ships, companies need to be able guard against security threats with “longer ladders as they try to climb over the wall,” he said of cybercriminals.
Gorretta warned against making security walls so high they stifle innovation. From Cisco’s experience working with service providers, being paranoid about which data to retrieve from consumer devices and overly cautious about security threats “slows down the rate at which you could add applications,” he said. The plus side of extreme caution is that devices are “very secure,” he said. The drawback is “it limits what you can really provide to the user,” he said. Much of the negative experience customers have with service providers is due to providers being “very careful in how they reach out to devices and what kind of data they extract," he said. "There’s a delicate balance there.”