X

Internet-connected devices will always pose a risk, experts say

Hacked cameras, DVRs and other devices in the internet of things are making headlines. But improvements are possible, say cybersecurity experts.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
gettyimages-585043481.jpg

Last month, hacked cameras and DVRS began overwhelming popular websites with requests and knocking them offline.

Moment Editorial/Getty Images

The internet of things isn't secure.

That much was clear when a panel of four cybersecurity experts began their talk on Thursday at the Techonomy conference in Half Moon Bay, California.

"The internet of things is something that cannot be fully secured," said Betsy Cooper, the executive director of the UC Berkeley Center for Long-Term Cybersecurity. "We just have to assume that there is a risk."

That risk became a real threat last month, when hacked cameras and DVRS began overwhelming popular websites with requests and knocking them offline, causing internet outages across the US.

In light of that and other recent attacks, "We should absolutely be working to get that risk as low as possible," Cooper said.

Experts have lots of ideas for making things better, from creating security standards for internet-connected devices to raising awareness of the risk among the public. Cooper was joined by Verizon executive Mark Bartolomeo; Nicole Eagan, CEO of cybersecurity firm Darktrace; and Chris Rill, an executive at IoT security company Canary.

"It's a problem we'll probably never stop working on," Bartolomeo said.

One solution that's already in the works is a security rating for internet-connected devices. Companies like ICSA Labs and Underwriter Laboratories (better known as UL) are testing and developing standards for devices. So is the National Institute for Standards and Technology, which is part of the US Department of Commerce. These efforts could lead to a consumer rating system akin to the crash test rating for a car or an energy rating for a refrigerator.

All this testing could help a problem that is difficult for companies to avoid, Eagan said. Companies that sell IoT devices often have them manufactured by a string of third parties outside the US. That means companies can't be totally sure the device they designed is secure.

"An attack can be embedded in the device before it arrives," Eagan said.

Despite the testing efforts, Rill said the problems built into today's IoT devices won't be fixed for another two to three years.

"It's going to get worse before it gets better," Rill said. "I would say ask a lot of questions before you buy these products."