Why do smart (IoT) devices have poor security?

As the IoT industry evolves, so do the cybersecurity threats. Despite this, one may ask why manufacturers keep developing devices with massive security flaws?

TIme Icon
min read

From camera-enabled vacuum cleaners to an internet-connected radiator that you can monitor from your phone, it's no surprise that smart/IoT devices are becoming more common in our lives. However, despite the proposed benefits they may offer, IoT devices are notorious for their poor security measures. Too many reports of devices getting hacked or infiltrated by cybercriminals, putting our private data at risk. They're a trojan horse of home security. This fact is recognised by the general public leading, tech industry experts, and policymakers worldwide. This begs the question: why are smart devices dumb about security, and why aren't manufacturers doing anything to fix it? Here are three possible reasons why.

Lack of standardised guidelines on device security

One of the most efficient ways to ensure device safety is the development of cybersecurity standards. The National Institute of Standards and Technology (NIST) defines cybersecurity standards as rules that define both functional and assurance requirements within a product, system, process, or technology environment. If done well, these standards act as a reliable metric for manufacturers and consumers when evaluating a product's privacy and security features.

Unfortunately, IoT lacks these cybersecurity standards, and manufacturers can release whatever device they see fit. That's because standardising IoT devices is a complicated challenge. Different applications of IoT use different software and systems, making it extremely difficult to establish a uniform set of rules.

Cutting Corners

Given how IoT is still a relatively new field, it's not surprising to see companies of all sizes racing to release the next best device. However, Cesar Cerrudo, CTO of security firm IOActive, argues that this is how security problems within IoT devices arise. As described by Cerrudo, smaller companies need to release their product to the market as soon as they can. Implementing and evaluating the product's security measures can lead to significant time and money wasted, which isn't a worthwhile cost for a product that isn't sure about its profitability. Adding security features is much more difficult after a product is released than during the development phase. Unfortunately, start-ups and smaller companies won't bother with the extra cost of implementing appropriate security measures and prioritise getting a product out as quickly as possible.

Poor Firmware Security

Lastly, how a company designs the device's firmware also presents security issues in IoT devices. Firmware is software that is programmed and installed directly on a hardware device. Similar to the above, very few companies will take the time to optimise and clear out most bugs in the system. There are reports of devices with faulty firmware and critical errors in the system that emerged after its release to the market. While firmware can be updated and patched regularly to fix newly-discovered bugs, that does not mean that all companies will follow suit. After all, there aren't any government bodies or compliance procedures that will chase them down if they don't do it.

Given the many variables in this complication matter, it will be hard to tell when IoT devices will have better security. Consequently, as consumers of IoT devices, we have two options. Either buy these devices and risk facing these security issues or give up the benefits altogether to live a more secure life. If you choose to own a device, make sure you understand the standard privacy and security concerns.

More to Explore:

Here's further advice and resources to support parents and children on this issue:

IoT security: Why it matters, why it needs to be much better

Go to resource >

IoT attacks are getting worse -- and no one's listening

Go to resource >

IoT is Coming Even if the Security Isn’t Ready: Here’s What to Do

Go to resource >