When asked if they know what the Internet of Things (IoT) is, most would think about the popular smart speaker devices like Alexa or Amazon Echo. Or even the cute and useful Roomba. And that is correct. At its core, this is true. IoT devices are things used everyday, just with computational capabilities like processing and exchanging data added in.
Maybe it's because of its marketing, or maybe because the research on the topic is more technical, with few studies devoted to the public perception of IoT, most of which are now dated. And even these half-a-decade-old studies show how people have positive views of these devices, with a few security and privacy concerns sprinkled in. [1]. It seems like people don't connect these devices with the technical term of IoT or think about the broader implications of these connections. Neither do they realize that IoT devices have been implemented in areas way beyond the humble home.
And it is this lack of awareness that concerns Arun Chauhan, a leader in Information Security, with expertise in cyber warfare. Worried about the large-scale security concerns that come with the amalgamation of the physical and cyber worlds via these smart devices, he considers its various repercussions.
"I started thinking about the consequences of IoT devices in the physical domain when there was a surge of devices that were previously not perceived as computers, but were acting like and had attributes of computers," Mr. Chauhan explains, his experience showing through his steady speech. The increase in IoT devices in the control of electric grids, power plants, and other important infrastructures that support public life worried him immensely.
"Think about a conventional computer and its software," he elaborates, "If it suffers a cyber-attack, the consequences are limited to the data on it. But since IoT devices are connected to physical structures, the consequences move into said physical domain and would potentially cause fatal destruction."
It's worse when considering the fact that most IoT devices run on the same software that conventional computers do. It means these devices that control so much of our daily lives—not just in the home, but through public infrastructure—can be compromised in much the same way a computer can be compromised.
"In a way," Mr. Chauhan says gravely, "it's easier to attack and successfully compromise IoT systems, as its defense systems have not been implemented well."
Mr. Chauhan also worries about the common public perception of IoT devices, especially when it comes to security risks. Despite it being over a decade since these devices hit the market, it is still hard for a regular person to understand the impact on their individual and communal lives.
"There used to be security conferences discussing and demonstrating attacks on IoT devices back then," Mr. Chauhan recalls, "It was important since many of these devices can listen to and record people's everyday actions, be it in real life or online. They hold private and financial data."
He details an easy to digest example: a smart air conditioning system. If hacked into, one could control the temperature of the household. That would affect the inhabitants' comfort and, in extreme weather conditions, security of health.
Think of such examples but on a larger scale. As early as 2008, digital attackers used malware to explode a Turkish oil pipeline, destroying critical infrastructure [2]. More recently, in 2023, successful attacks on the decentralized Danish power grid resulted in a disruption of essential energy infrastructure and services [3] [4]. Cyberterrorism is real and present in our world today.
"It may seem sci-fi-esque to the lay-person," Mr. Chauhan says grimly, "but these consequences are extensive and expensive." Electric grids, floodgates, and so many other infrastructures that ensure public functioning are increasingly utilizing IoT. Studies show that there are or will be around 1,000 IoT devices per person, and considering that Earth's population is currently hitting the high of 7 billion, that is a lot of smart devices around [5].
Mr. Chauhan advises people to think about the capabilities of IoT devices before purchasing them, about the data that will be shared, and most importantly, if all its faculties will be used after purchase. For example, does someone truly need a Wi-Fi-connected fridge? What are the risks of someone hacking into it? And if one does use an IoT device, the system must be kept updated to cover vulnerabilities in hardware and software.
"Even so, the burden shouldn't be placed on users of IoT devices," he asserts, "Security concerns should start at the beginning of production, within the industries and companies that create said devices. Shouldn't there be security measures within a device for consumer protection? And if there isn't any, what does that say about the industry?"
It means they care more about adding features for increasing profit and move security to the back of the list. Security is not a default function. Which raises all sorts of other concerns. Mainly the fact that it is the users' responsibility to keep themselves secure. And many of them do not know how or why they should do so.
In addition to these questions not blooming in the mind of the layperson, Mr. Chauhan says there is a divide between acts of physical terrorism and cyber terrorism in popular opinion.
"Those who commit acts of cyber terrorism can do so without being exposed to the physical risks that traditional acts of terrorism demand," he explains, unflinching in the face of these potential terrors, "They can remain anonymous if they wish, which makes it hard for security agencies to identify and prosecute the suspects. And the amount of damage they can inflict with such low risk and investment is phenomenally alarming."
Even more alarming is the fact that physical security cannot stop a cyber-attack. It is up to digitally made armor interwoven into the making of IoT devices that have become so prolific due to their capabilities for automation.
"There are ways to mitigate the threat," Mr. Chauhan says positively, "Two major things can be done. First, have IoT device producers be responsible for security. And second, create government regulation of safety standards for IoT devices."
Mr. Chauhan explains how, if companies follow security engineering principles to create a tested and secure device before it hits the market, many catastrophes could be easily nipped in the bud.
"It has the added benefit of not placing the onus on users," he says, "Personal level precautions are only a short-term solution."
Security standards enforced by government regulation have usually been related to physical security. Creating guidelines for information security, and especially internet-connected IoT devices, will force the industry to comply to stay in business.
"Going back to the example of the internet enabled fridge," he says, "How can regulation enforce what information security standards the end product should follow? Which governmental agency would regulate and enforce these standards? It's an area that needs to be looked into."
Much of the world's current lifestyle relies on the internet, yet that fact has not been completely internalized. IoT proliferation just adds another dimension to the cyber world bleeding into the physical world.
"There are so many ways things could go wrong without proper IoT security," Mr. Chauhan says.
He details several examples: outdated software in public announcement systems that can be easily compromised creates an insecure system that cannot be relied on during emergencies. Insecure traffic light systems can lead to tremendous damage and loss of life. Lack of proper security in smart water monitoring systems can result in an attack, causing industrial waste to leak into rivers and other water supplies.
"It may seem like I'm catastrophizing," he says grimly, "It may even seem like these examples can only occur in movies, like it's entertaining fiction and nothing more. But it is real, and it can happen any time now. If my decades of experience in national and private security have taught me anything, it's that it's not a question of if, but when. And being prepared for these possibilities is how we can make our world safer in this ever-expanding digital age."
[1] Gate, R. (2022, Feb 1). The Public Perception of IoT. Object Spectrum. https://www.objectspectrum.com/the-public-perception-of-iot
[2] Robertson, J., & Riley, M. (2014, Dec 10). Mysterious '08 Turkey Pipeline Blast Opened New Cyberwar. Bloomberg. https://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
[3] Strategic Technologies Program (2023). Significant Cyber Incidents. Center for Strategic & International Studies. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
[4] Speek, S. (2024, Jan 9). Decoding the Danish hack, the cybersecurity blueprint for IoT. LinkedIn. https://www.linkedin.com/pulse/decoding-danish-hack-cybersecurity-blueprint-iot-sander-speek-iuxse/
[5] Singh, D. (2023). Internet of Things. In C. D. Singh & H. Kaur (Eds.), Factories of the Future: Technological Advancements in the Manufacturing Industry (pp. 195–228). Scrivener Publishing LLC. https://doi.org/10.1002/9781119865216.ch9