LONGREAD: should you fear the internet of things?

So what are we doing about it?

First, it helps to appreciate the scale of the potential problem. Gartner research said a few years back the world would contain 8.4 billion IoT devices this year, up a third on 2016. By 2020, the same report said we'd have 20.4 billion of them.

By the same year, management consulting firm Boston Consulting Group said the world would spend $375bn on IoT alone, over and above normal IT expenditure.

As eager early adopters of technology, Australians are embracing the IoT wholeheartedly, and technology research firm Telstye said Australian homes will contain 300 million IoT devices by 2021, a market worth $US5 billion.

The firm estimates while the average Aussie household contains 13.7 internet connected tools today, it will balloon to 30.7 in 2021, with 14 of those being IoT devices.

Now is the time

All of which makes security a huge priority, and there are major concerns it isn't being sufficiently baked into some very simple tools.

As Destiny Bertucci, spokesperon for IT monitoring and management tools provider SolarWinds says, "for most IoT vendors, security is still taking a back seat to speed to market."

But the message might be slowly getting through. SolarWinds' Speed of IT survey said more than half of all Australian organisations polled thought security was essential to overall network management, which for many includes IoT.

There are already more IoT use cases across more sectors than you can count. If you run an automated manufacturing plant and a single cog or fuse goes out it can stop your entire production line. 

IoT sensors attached to individual components or processes can reveal your vulnerable points and warn you when they're about to fail, letting you schedule maintenance.

In mass market retail, IoT warehousing and sales data can give you needle-point accuracy about inventory movements. 

Smart meters in homes are letting us plan our power usage to save money and remote medical monitoring lets your doctor keep an eye on you in real time thanks to sensor data about your health.

IoT devices are going to outstrip the traditional tools we use to connect online (PCs, tablets, etc) by orders of magnitude and as the field grows, many experts are warning about how vulnerable it is.

You might be surprised how the Dyn attack was even possible – how can modems or TVs get infected with malware, the same way your computer can by downloading a dodgy email?

The reason is because more and more of our world works on software and even the tools with the simplest functions – picking up and displaying a digital TV transmission, retrieving the correct time to display on a coffee maker, etc – run on rudimentary operating systems.

That means they send and receive data just like your laptop sends an email or downloads the contents of a Facebook page - and if you know how to program in the correct language you can write (or buy) a virus for any IoT device.

Free for all?

Despite the reach of IoT, there's a Wild-West quality about the field with devices rolling off production lines faster than the law can keep up.

At the large industrial end of the scale there's a little more scope for IoT security – a lot of large enterprise cloud services offer more secure infrastructure or dedicated pipes keeping customer data needs separate from the rest of the internet.

Some large technology companies also offer their own platforms upon which to build and deploy IoT fleets. Examples like GE's Predix are essentially IoT operating systems and much like the operating system of your laptop, you can secure them using antivirus software, firewalls and formal policies.

But things at the consumer end are very different, and two themes emerged from October 2016 findings by the Consumer Technology Association (the organisation behind the yearly CES trade show). 

First, only half of more than 15,000 respondents to a survey said IoT concerns had stopped them buying a device and only about the same amount said they changed the default login access to devices such as a DSL or cable router– which doesn't even take into account the number of tools making it hard to change the passwords or which have the password permanently hard-coded in.

But there are positive signs we're becoming more educated – or at least worried. University of Washington researchers found parents and even kids expressed privacy concerns about internet-connected toys.

Using similar technology as Siri, which uses voice recognition and machine learning to respond to questions, toys like Hello Barbie and Cognitoys respond to questions by their young owners, but few users or parents realised they were recording kids' voices and storing them in the cloud, a potential legal minefield.

Governments are also showing signs of trying to catch up. During 2015 the US government spent around $US8.8bn in security, with the majority of those funds put into IoT infrastructure and investments like sensors and wireless devices. Australia's own plans to combat IoT cybercrime is the next step in the government's efforts (more below).

The risk is real

Lecture some consumers about IoT security and they'll roll their eyes. Home security cameras and modems will likely never store our credit card numbers, after all, and surely manufacturers build in safeguards to stop a hacker taking control of our smart car, sending it careening into oncoming traffic?

Jason Humphrey is ANZ’s head of retail risk. He talks about an obscure example he came up against where one of ANZ's credit partners worked with a manufacturer of refrigerators under a new partnership.

"If someone hacked into the network that operates the internet capability of the fridge, details like when you may be at home, on holiday or are about to go on holiday might be found," he says.

To Humphrey, one of the lynchpins of IoT security is you're only as strong as your weakest link.

"Thinking of each connected device as independent of your home network creates this issue," he says. "If someone can access my connected fan settings they can access my wi-fi network, so they can access my laptop and other connected devices which have personal details stored on them."

And if the above isn't enough to scare you, how would you like to come home after a hard day's work looking forward to a relaxing evening on the lounge to find your TV had been frozen by ransomware, as the family member of one Twitter user was horrified to discover

The trick is to think of every device in your home or office which connects to a service online in the same way as your laptop or phone. 

"[They're] no different," Humphrey agrees. "The least expected device which may not be protected creates a backdoor that enables open access to all your details – the difference is that manufacturers such as phone and computing are more seasoned in dealing with hacking."

All of which begs the question of how prepared device manufacturers are. We asked US modem manufacturer Arris how it secures its consumer devices and a spokesperson said not only do all devices are manufactured to OWASP 10 standards but the company 'regularly and proactively monitors our device portfolio to discover and address potential vulnerabilities, including malware attack vulnerabilities'.

But even though we might feel safe with devices made by big company names, many internet-connected tools are outsourced or manufactured in regions where cybersecurity might not have as much oversight or have much of a regulatory framework. And as we've already seen, IoT is a huge and growing industry.

Too late to change?

But even if we ensure IoT devices are manufactured with cybersecurity safeguards from now on, there are already billions of routers, Hello Barbie toys and remote home control tools from vendors like Nest (nest.com).

Just days before the October 2016 takedown of backbone provider Dyn, research warned half a million IoT devices were vulnerable to botnets like the notorious Mirai which has CISO's sweating bullets.

"Manufacturers of connected devices should be providing the means to upgrade software and firmware regularly," Destiny Bertucci of SolarWinds says. "Also they should ensure security is built in from the outset to combat new security vulnerabilities, and users should make sure they're actioning them."

In a world where IoT devices and their flaws already surround us, the only resource disgruntled consumers might have available to them will be the law.

Paul Gordon, senior associate of Adelaide firm NDA Law, specialises in technology cases, and to him, it will take 'significant backlash' before anything changes.

"The laws will need to change not only to be more protective of individual privacy, but also to raise the expectations on manufacturers and operators of new technologies to be more mindful of regulations," he says.

But to Robin Schmitt, Australian GM of Neustar, a provider of real time information services, the only possible way is up.

"As IoT evolves, collaborating openly and adopting standards and certifications will strengthen the industry as a whole," he says.

Schmitt points to the EU's developing framework for better regulation of connected devices, including the drafting of legislation around the time of the Dyn DDoS attack.

"[It] would include a certification system notifying consumers of the level of security of their device," he says."

And while the National Plan to fight Cybercrime adopted by the Australian government doesn't mention IoT devices specifically, Schmitt says it's been listed as one of the next priorities in the government's cybersecurity strategy.

All of which isn't to say there aren't already standards and credentials the industry itself is touting. The enterprise arm of US mobile provider Verizon has a service offering security credentials between users and products, one which provides a standard making the tracking of and fixing vulnerabilities easier.

But in the absence of any formal framework which applies to your industry, Bertucci of SolarWinds thinks we should approach IoT with the same policy-based approach we would any security risk.

"Policies and procedures need to be strategised now, before the first device even enters the door," she says. "In fact it's likely the first connected device is already in the organisation and the IT team just doesn't know about it yet."

Drew Turney is a freelance technology journalist