Will Security Flaws Stifle the Internet of Things?

Home automation and Internet of Things, or IoT, devices — which can communicate with other devices and communicate data — have been on the market for years. Everything from TVs, light bulbs, and door locks to alarm systems and sprinklers can be controlled remotely through mobile apps.

Last week HP (FRA: HWP) published research highlighting huge vulnerabilities with most of the top 10 home IoT devices on the market.

The company found that 70% of the devices used unencrypted network services, the majority of them with login requirements could easily be bypassed with standard passwords like “12345”, and nearly all of them collected at least one piece of personal information. This lead HP to conclude that 80% of the devices have serious privacy concerns.

But just as HP noted, this isn’t the first time a laxness in security has been exposed.

Back in 2013, a Forbes staff writer, Kashmir Hill, legally tapped into eight homes of people using Insteon home-automation products. She was able to find their systems on the Web through a flaw in the company’s software, then tapped into the lights in the home. In some cases, she could even find out the physical address of the homeowners, names of their kids, and other personal information. The company then issued a recall of the vulnerable devices, released a new secured-hub system, and then required passwords for controlling the devices.

So, what’s the point? HP’s latest data shows that companies still have yet to make security a priority. Right now, 70% of the most popular IoT devices on the market contain major vulnerabilities.

Even after the Heartbleed bug, Target‘s credit card debacle, and the Forbes experiment, some companies still don’t take security seriously. The problem is that IoT devices are about to take off. Gartner expects about 26 billion connected things by 2020.

Security as a priority
A few months ago, Intel‘s (FRA: INL) worldwide chief technology officer for security, Michael Fey, said, “Security needs to be built in as the foundation of the Internet of Things. Any disruption to these IP connected devices can cause damage to the business and our daily lives. We need to have foresight into what is coming so we can prevent against threats and securely manage these devices.”

Intel has a pretty big incentive to secure IoT. The company made far more revenue from it’s IoT division in the most recent quarter than it did from mobile. But Intel’s not alone in its ambition. Cisco, General Electric, IBM, and AT&T have joined Intel to create the Industrial Internet Consortium, or IIC, partly to determine security standards.

IIC is tackling Internet of Things security in three main ways: endpoint security, secure communications, and security management and monitoring. Those are all very vague descriptions, but basically they mean that IIC will set up standards to make IoT devices secure when used by themselves, when connected to other devices, and establish ways to monitor device security.

To do this, IIC will run tests once the standards have been set in place. The consortium says on its website that it’s “systematically designing and incorporating security into the reference architecture(s) of the Industrial Internet from the start, as opposed to adding it as an afterthought.”

As companies launch new ways to automate home devices, security becomes more important. In June, Apple debuted HomeKit, its home automation platform, that pairs third-party devices together to seamlessly communicate with iOS 8. Qualcomm already has its AllJoyn platform, and Google‘s Nest recently launched its own platform for connected home automation devices as well. Of course, IoT devices go far beyond home automation, and according to IDC, by 2020 the entire Internet of Things market is expected to grow to $8.9 trillion.

With that kind of growth, tech companies likely won’t slow their IoT innovations — but it’s still unclear whether that means security features will be able to keep the same pace.