Ars Technica had a scary article this week about an IoT search engine that allows users to search for webcams displaying anything, including marijuana plantations, bank back rooms, kitchens, bathrooms, and yes, sleeping babies. Webcams have easily exploitable security vulnerabilities, and those webcams are broadcasting video via API.
Part of the security problem is consumers. Because webcam manufacturers are working with very tight margins, and customers haven’t seen value in privacy and security, the manufacturers aren’t willing to pay extra to add extra security protection.
Consumers may not be willing to pay for security, but that doesn’t mean companies should be allowed to scrimp on security measures. “The bigger picture here is not just personal privacy, but the security of IoT devices,” says security expert Scott Erven. “As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a webcam peering into the baby’s crib.”
Therefore, say experts, manufacturers are going to have to be strong-armed into adding security protections to their IoT devices, and one forcing function could be governments. In fact, the FTC in the US has already started enforcing security standards for connected devices. Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection says, “The message from our enforcement actions is that companies can’t rush to get their products to market at the expense of security. If you don’t have reasonable security then that could be a violation of the FTC Act.”
It’s clear that business as usual when it comes to API security won’t be enough anymore, particularly as more connected devices come to market. It’s a good idea to make sure sure security is at the forefront of your mind when designing APIs.