Dara Security

IoT Devices: Convenience with a Risk

January 10, 2018

The Internet of Things has developed into a thriving industry estimated at $14 billion and poised for further growth.  Smart thermostats, voice-activated personal assistants, and other IoT devices are no longer novelty items found in homes of tech-savvy early adopters.  In fact, the IoT has gained more mainstream usage as people are enticed by the convenience these devices bring, and manufacturers continue to cast a wider net for consumers by making these devices more affordable. 

IoT usage has spread outside the home and is also growing in public arenas.  Hotels compete for travelers by offering voice-activated personal assistants that promise the best customer experience.  In December 2016, Wynn Las Vegas announced that it had installed an Amazon Echo in every hotel room.  Following suit, Best Western and Marriott hotels began testing voice-activated personal assistants in select locations with the intention of a wider if not full-scale deployment in the near future.   

Connected devices have also extended into corporate offices.  According to a study conducted by Armis, an IoT Security Assessment company, 82% of companies surveyed (which included Fortune 1000 and Global 2000 companies) have an Amazon Echo device on their corporate network.  Holding to the idea that efficiencies result in cost savings, companies may consider the efficiency of IoT devices as necessary to the company’s bottom line. 

The convenience and efficiency of IoT devices are certainly attractive and are key factors in the explosive growth of the IoT industry.  Many IoT device manufacturers rush through development and manufacture lest they miss their share of this hot industry.  However, it is oftentimes the race to get devices to market that has taken priority over ensuring that security has been considered in the development of the product.  Unfortunately, many IoT devices today are incapable of being patched or updated.  This renders these devices vulnerable to a growing number of exploits and ultimately leaves the consumer’s information exposed and available to thieves.

As of November 2017, the PCI Security Standards Council is working on IoT security, but has not yet issued any formal guidance.  Currently, there are no PCI rules for merchants and processors who accept payment cards for IoT transactions.  However, this could change quickly if there is evidence that the next large data breach has direct ties to the IoT industry.  As IoT devices continue to come to market without security baked into the development and connected devices become more mainstream, the chances are certainly high that the next big data theft will be IoT-related.