There’s general agreement in the IT industry that Internet of Things security is terrible, where it exists at all. There are many reasons for this, but as Andrew Tannenbaum discussed in the Harvard Business Review, the biggest reason is likely what some are calling the IoT gold rush.
Smart devices that are connected to the internet, such as security cameras, DVRs, stereo speakers and even light bulbs have become a big business. These devices perform a number of useful tasks and they’re cheap to produce.
However, designing security measure into these devices, testing their effectiveness and updating devices' software reduces potential profit, so many manufacturers just don't bother with security.
Furthermore most consumers rarely ask about security measures when they shop for IoT devices. So the lack of security measure doesn't hurt sales, further reducing the incentive to develop make secure IoT devices.
This is why the introduction of the Orbit IoT Security Service from Cloudflare is an important development. Orbit protects IoT devices using the same security approach that you might use to protect web servers. In effect, Orbit creates a Web Application Firewall to protect the IoT device, or in some cases an IoT network. Orbit protects devices against cyberattacks, and if a device is compromised, then it protects the network from that rogue device.
Because Cloudflare uses its own security network to defend devices, it reduces the risk that attacks will succeed in taking control of devices. Orbit also helps solve the problem of updating IoT device security. That's because instead of updating individual devices (if that ever happen) Orbit updates the network instead.
Unfortunately, services such as Cloudflare Orbit won't serve as a security panacea for the millions of IoT devices in use by businesses and consumers. This is because of the sheer number of smart devices in the hands of consumers who know nothing about security. Then there are IoT devices in the hands of companies that aren't controlled or managed as part of the corporate IT infrastructure.
Good examples of this include the millions of video cameras infected by malware and then used in the largest DDoS attack of all time. Those cameras were in millions of private homes, small businesses and larger organizations. There is simply no way to secure all of them in the absence of good design and reliable updates. But because there are so many of them, they can take down nearly anything on the internet through focused Distributed Denial of Service attacks.
A related problem are connected devices that are outside of the control of the IT department such as a hotel in Austria that had its electronic key system taken over by hackers, who wouldn’t let anyone enter a room until the hotel paid a ransom.