Could your DVR, connected refrigerator and other smart devices become a pollutant akin to auto emissions? Not to sound like an alarmist, but there is a possibility that this scenario could play out. Last fall we saw what happens when attackers take over unsecure IoT devices and use them as an attack vector: CNN, Twitter, Netflix and other popular websites were taken offline for a large portion of the U.S.
Being unable to access those sites was definitely an inconvenience for people and a somewhat serious issue for the business that lost revenue during the downtime. Overall, though, the fallout from the October DDoS attack against domain name services provider Dyn was relatively minor. The next DDoS attack fueled by IoT devices may have more consequential results. Adversaries could go after a utility provider such as a power company that supplies electricity to a major metropolitan area or a large research hospital with hundreds of patient beds. Leaving people without power or preventing doctors from accessing electronic medical records would have a much greater impact than being unable to stream a movie.
Again, I’m not trying to scare people by discussing these scenarios. However, not talking about them certainly won’t keep us secure. Instead, I’d like to start a conversation on how to improve IoT device security without stifling innovation. This approach will allow vendors to continue making devices that improve our lives while ensuring that their innovations don’t inadvertently wreck the Web for everyone. We’re living in an era when technology offers limitless opportunities. I’d rather not see the bad guys hijack this moment.
Device makers need to incorporate security from the start
Resolving IoT device security starts with addressing the massive security flaws in these products. Vendors and consumers both have a role to play here. As it stands now, most manufacturers view security as an afterthought while consumers lack an understanding of the most basic security practices. This needs to change.
Vendors need to incorporate security from the product’s initial design phase. The fear that adding security functions to products slows production isn’t really valid considering the consequences of not including security. Not adding the ability for the device’s software to be updated (a feature that’s surprisingly missing from many products and should be standard) leaves manufacturers with the challenging, costly and nearly impossible task of retroactively adding this function. I’d say trying to tack on security after a device is on the market is a greater risk to innovation. Product development teams and coders have to turn their attention to fixing a software bug instead of working on more important projects.
Manufacturers also need to consider the features they include in their devices. Adding ones that are more clever in terms of marketing gimmicks than practical functions only increases the chances for more bugs and the attack surface. Vendors need to ask if a washing machine needs a mobile app or FTP or Telnet.
A mechanism that forces people to change a device’s default user names and passwords is essential (While we’re on this topic, makers need to quit hardcoding passwords into a product’s source code). And the method for changing passwords needs to be easy for people to use. Consumers are already reluctant to change their passwords. Making this process difficult will only turn them off even more.
Consumers also have a role in securing devices
Consumers also share some of the responsibility for securing their devices. They need to change the device’s default password. The Mirai botnet behind the Dyn attack scanned the Web for IoT devices with specific default log-in credentials and infected them. People should also avoid purchasing products with weak or nonexistent security measures. Before buying an item, research the manufacturer by searching the Web. See if the company has been in the news for building products with poor security. Look at the company’s website and see if product security is mentioned. Finally, know the return policy of the store or site where you purchase the item. You want to be able to return the product if you have any security concerns.
Regulations need to match the reality of how people use the product
In November, security professionals testified before Congress on the need for the government to regulate IoT devices. Any laws need to incorporate net neutrality and realize that we operate in a global economy. Regulations that favor one device or vendor over another or hinder the ability of U.S. companies to sell internationally need to be avoided. Picking IoT winners and losers should be left to the market.
And don’t forget that IoT products are used by people. Any regulations need to be developed from the perspective of how a person would actually use a device. Lawmakers who don’t understand technology or take a heavy-handed approach to regulation are just as dangerous to IoT devices as buggy code.
Taking this approach to IoT security - having vendors and consumers realize their respective roles while the government passes objective, thoughtful regulation if needed - will ensure that companies can continue to innovate and create the next smart thing without polluting the Internet for everyone.