The internet has long since evolved past being something only accessed via PCs. These days, the web can be accessed everywhere, via a multitude of different devices in different form factors. It’s not only computers, it’s not just smartphones and tablets, but a whole range of devices and wearable gadgets that are now online, including TVs, thermostats, cars and sometimes even home appliances.

By the year 2022, just eight years from now, the average household with two teenagers will contain more than 50 internet-connected devices, says a recent study from the Organization for Economic Co-operation and Development. That’s awesome potential right there – just about everything will be automated, more convenient, and perhaps able to save consumers some money :)

But there’s a risk too, because security in the ‘Internet of Things’ is almost non-existent at the moment, and that means each and every one of the 50 or more devices in most homes is vulnerable to hackers.

No regulation

IoT security – or rather, the lack of it – is such a big concern that last November, the FTC held a workshop on the matter, focused on privacy and security issues related to increased connectivity for consumers, both in the home through home automation, smart home appliances, and connected devices, and on the move through health and fitness devices, personal devices, and cars. The workshop brought together numerous academics, business and industry representatives, and consumer advocates to explore the security and privacy issues in our increasingly connected world.

The impetus of this exercise came from the FTC’s desire to learn more about the potential benefits of the Internet of Things for consumers. However, the FTC is also extremely concerned that these new technologies might be vulnerable to hacking, leading to misuse of personal data, or even causing physical harm to their owners.

“How can privacy and security risks be weighed against potential societal benefits (such as improved health-care decision-making or energy efficiency) for consumers and businesses?” the FTC asked.

Ultimately, we can expect the FTC to come up with regulations for governing how companies must secure their IoT devices, but this could be a long time coming. As of right now, there are no rules compelling manufacturers to secure their devices, and that should set alarm bells ringing.

In a recent interview with SFGate, Michael Chui, a partner with the McKinsey Global Institute, said that any rules would need to specify how data generated by gadgets is used and whether companies will face legal liability for security breaches.

“It’s impossible to not have data generated about you in the world today,” he said. “Regulators have to many times balance innovation with managing various types of risk.”

Wildly insecure

The FTC has taken it upon itself to work out how the Internet of Things can be patched, and it is likely that responsibility for this will fall upon the device manufacturers. But as things stand now, manufacturers have little or no incentive to patch their devices, and any regulations could still be some years off.

Writing in Wired.com recently, cryptographer and security expert Bruce Schneier said that the Internet of Things was “wildly insecure,” and warned that “no one entity has any incentive, expertise, or even ability to patch [IoT] software once it’s shipped.”

“Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.

The system manufacturers — usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product — choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.”

In other words, until rules are in place that enforce this, we simply cannot rely on technology innovators driving the IoT to worry about the security risks – it just isn’t high on their list of priorities, so consumers need to be aware of this and take steps to protect their own data.

This lack of security prioritization extends to even the biggest tech firms – companies like Facebook and Twitter, noted the New York Times last year. The general attitude among companies is that security stifles innovation, hence it always comes last. With trends like BYOD and smartphones now commonplace, we’ve already seen numerous examples of what can go wrong when unsecured devices are introduced to a network. These devices are prime targets for cybercriminals – and if consumers don’t start thinking about how to secure them soon, we’re all going to learn a valuable lesson about securing our data the hard way.