People have long followed Facebook CEO Mark Zuckerberg’s example of taping a piece of paper over their notebook’s camera to ensure their privacy, and Chinese manufacturer Huawei’s plans for the U. S. market have likely been permanently derailed by chronic rumors that its devices send private information straight back to the Chinese government.
Yet the market for web-connected IoT (internet of things) smart devices continues to rise despite well-known vulnerabilities to hacking. News accounts abound of household devices such as smart thermostats and IP cams becoming surreptitious monitoring devices that acquire vast stores of private data, including images and recordings used for blackmail, revenge, financial data theft, and even burglary. IoT devices rely on slim, low-power processors that generally can’t run antivirus software, rendering them vulnerable to hacking. Even products of leading international brands have been shown to have backdoors by which hackers are able to gain entry and control.
“In recent years, there have been numerous incidents regarding security cameras, smart home devices (e.g. routers, Network Attached Storage, etc.), infrastructure, and industrial control equipment being hacked,” noted Kelly Hsieh, market analyst for Taiwanese research firm Trendforce. Routers produced by Cisco, Linksys, Netgear, D-Link, TP-Link, Asus, Belkin, and Xiaomi have all been reported to have cybersecurity flaws.
Hackers rarely even need to try hard to hack IoT devices, as most consumers are unaware that they should change the factory default password. “More than 90% of IoT devices accept weak passwords like 123456,” says Hsieh, who adds that most devices lack multiple authentication mechanisms. Some 70% of IoT devices even have a “root user account,” which details the credentials of the account owner and provides the user with read-and-write privileges to more areas of the system, including files in other user accounts. Although manufacturers and service providers recommend deleting this function, few users do.
“It’s not easy to actually hack into an IP camera without the password – it takes some skill to do that,” notes Ming Hui-chung, a researcher with the Industrial Economics and Knowledge Center at Taiwan’s public/private Industrial Technology Research Institute (ITRI). “But a lot of people will miss the key point, which is that they need to take care of the security themselves, setting the password on the IP camera regularly or setting a more complex password. The problem is on the consumer side as well as the manufacturer’s side.”
Vulnerabilities haven’t deterred sales, however. The IoT market continues to expand in both sales and the array of connected devices.
Last December, global technology market research firm International Data Corp. (IDC) forecast that global spending on IoT would reach US$772.5 billion in 2018, a 14.6% rise over 2017’s US$674 billion. IDC sees global IoT spending maintaining a compound annual growth rate (CAGR) of 14.4% through 2021, likely surpassing US$1.1 trillion in 2021. Research firm Gartner, Inc. notes that more than 8.4 billion connected devices are currently in use, with the figure expected to reach 20.4 billion by 2020.
Some of the latest IoT devices launched in 2018 include refrigerators that order groceries for you, forks that monitor how fast you eat, and smart door locks that open with a smartphone rather than a key.
The reason the market remains healthy despite security concerns is because most IoT hacks haven’t actually harmed the owner of the infected device, according to industry insiders. Instead of being used to blackmail homeowners with embarrassing photos, infected IoT devices often are instead deployed for DDOS (distributed denial of service) attacks against websites. DDOS attacks deploy large numbers of devices to overwhelm a website or other target with superfluous messages that are aimed at shutting the site down. The infected device meanwhile continues to operate as usual.
“When the IoT device is infected and turned into a botnet proxy, there is no actual loss to the consumer,” explains Eric Hsu, vice president of sales in Asia-Pacific for U.S. IoT security provider ForceShield, which has its R&D department in Taipei. “Consumers haven’t been burned directly, so nobody cares.”
That is good news for Taiwan, which is banking on IoT to drive growth in key tech sectors, including semiconductors, sensors, and hardware. The Taiwanese IT industry exports billions of US dollars worth of semiconductors, display panels, motherboards, sensors, control systems, and numerous other components and products. Besides semiconductors, however, where Taiwan Semiconductor Manufacturing Co. (TSMC) continues to lead the world’s chip foundries in both technological advances and global market share, Taiwan’s IT manufacturing has long been in the doldrums due to shrinking profit margins. Market demand for increasingly sophisticated devices plays to Taiwan’s strengths in advanced electronic hardware manufacturing.
Tying its “Asia Silicon Valley” plan to the promotion of IoT startups, the government describes it as the “flagship program that builds a complete innovative and entrepreneurial ecosystem emerging around IoT technology,” adding momentum to job creation and the economy. The goal is to get 5% of the global market value for IoT-related components and products by 2020, according to government websites.
However, Taiwan’s electronics makers have been less than effective at ensuring the security of IoT-related devices in recent years. Routers made by D-Link Inc. as well as AsusTek Computer Inc. have been shown to be easily hacked, lacking proper firmware protection and allowing backdoor access, among other issues.
Taiwan also makes some 25-30% of the global market for IP cams, digital video cameras used for home surveillance that are attached to networks. IP cams have been one of the most widely hacked segments of IoT devices.
But while consumers have so far been seemingly unconcerned with the security of their IP cams, thermostats, and routers, governments are alarmed enough to consider the threat of widespread infection of IoT devices a national security issue.
The U.S. Department of Homeland Security has issued a series of nonbinding standards for IoT development, saying that IoT vulnerabilities can impact the flow of information and commerce and potentially lead to attacks on critical infrastructure. “IoT security is now a matter of homeland security,” it noted in its guidance. In addition, the American National Standards Institute (ANSI) in 2015 established the UL 2900 “Standard for Software Cybersecurity for Network-Connectable Products.” It largely conforms to other international standards including ISO 27001, the GSMA IoT Security Guideline, and OWASP Top IoT Vulnerabilities.
Starting with IP cams, Taiwan is following suit with its own standards that reference these international standards. The standards focus on four main domains: system security, communications security, identity authentication, and privacy protection. The quasi-public Institute for Information Industry and the Taiwan Association of Information and Communication Standards have been assigned to develop the standards for IP cams, which will serve as the basis for further IoT certifications.
Along with security standards, Taiwanese research institutes and companies are innovating solutions to better ensure IoT cybersecurity. ITRI’s Application Whitelisting technology, for example, employs a list of authorized processes that can run on a device and prevents intrusions from unauthorized sources. ForceShield, founded by former Symantec executives from both the United States and Taiwan, has developed Dynamic Transformation technology that “provides proactive protection mechanisms for vulnerable systems, effectively changing the defense perimeter to cripple attacks at the launchpad,” according to ForceShield’s Hsu.
“IoT is the wave of the future and you cannot stop it,” says Hsu. “But more convenience brings higher risk. Ensuring the security of the IoT will be vital for Taiwan and the world.”