The Internet of Things (IoT) consists of billions of devices that have internet connectivity. Typically, “things” in this context refers to devices that do not require internet connectivity but have had it added to them to provide greater functionality. Examples include: smart lights, to enable wireless control of their intensity or color; smart cars, to enable access to music streaming or GPS services, or, ultimately, to allow car manufacturers to install the latest operational software updates in real time; and medical devices, such as implantable cardioverter defibrillators, to enable remote monitoring and control of abnormal heart rhythms. I’ve blogged before about how many of these devices—particularly if designed five to ten years ago—have poor security that makes them vulnerable.
There are many issues that make security specifically challenging in IoT devices. For example, many—especially older ones—don’t have a mechanism for updates. Compounding this problem is that IoT devices are frequently intended to be in use for much longer (15–20 years) than most consumer electronics, making it even less likely they could remain secure for their lifetimes. Some IoT devices are meant to run with little power and memory; sometimes this is combined with intermittent internet access, as is the case with battery powered sensors deployed in the field to measure meteorological conditions. Even when the capability to deploy over-the-air updates to such devices exists, doing so may drain power and reduce their lifespans.
So What Can Be Done?
Market incentives (i.e., the risk that poor security will diminish sales) will help only when compromised devices could lead to negative consequences for the purchasers. Security failures in vehicles or medical devices, for example, can severely impact sales, making it likely that manufacturers will prioritize security. However, the efficacy of the market in incentivizing security depends not merely on the potential costs of lack of security to users, but on user understanding of those costs.
Manufacturers of devices where neither user safety nor confidential data are at risk will not necessarily consider security important. Thus, security vulnerabilities in smart bulbs (for example) may not result in diminished sales, at least until a vulnerably is exploited to gain access to devices whose security are deemed important and the result is widely publicized. Market mechanisms cannot be expected to help in encouraging security when compromised devices are used against third parties, as occurred with the 2016 distributed denial of service (DDoS) attack on Domain Name System provider Dyn.
Published guidelines1 can help in those cases where a company cares about security but has not yet acquired necessary expertise, as with some startups, for example. But it will not help with companies that already have the necessary expertise or with companies that have no financial incentive to care about security.
Many ideas for addressing the issue of security in IoT devices have been suggested by various groups, and they fall into three broad categories.
Legislation is the most obvious approach. Laws could be passed requiring manufacturers to meet certain security requirements. This would be difficult to enforce, as there are far more companies involved in the manufacturing of IoT devices than, say, pharmaceuticals. Furthermore, a single device will typically contain components made by a number of different companies. A more readily enforceable law would stipulate penalties in the event that negligence in cyber security had led to a device’s compromise. It should be noted that, as no device security can be expected to be 100% effective, the mere fact of compromise should not in and of itself be considered evidence of negligence.
2. Information Sharing Frameworks
Information sharing frameworks will not help in incentivizing security, but may help to mitigate the problem by ensuring that it is easier to inform individuals and corporations of known vulnerabilities in devices, software, and protocols. An example is the National Vulnerability Database. The utility of such frameworks can be augmented with a system for subscription and automatic notification. Thus, a person or company could subscribe to notifications involving a particular brand of IoT device. A user of the device would receive an automated email if a vulnerability were found that impacts it, along with a link to a fix if one exists. If such a vulnerability database were augmented with information about which components are part of which devices, a manufacturer could receive an automated notification if a vulnerability is discovered in any hardware or software component that impacts it.
Another possibility is the creation of a public database of IP addresses belonging to devices thought to have been compromised. This would help, in particular, in mitigating the problem of distributed DDoS attacks carried out through device botnets—a number of Internet-connected devices taken over without owner awareness and used to carry out cyber attacks. It could also create an incentive to the user to care about security in instances where the user is not harmed by security failures. As an example, a DNS could simply refuse requests from any IP address in the database. Or a cloud service provider could refuse requests from such a device, precluding it from storing and/or accessing data. If the connectivity of the device becomes effectively useless because it has been blacklisted by internet servers, then the user will take notice, in turn forcing manufacturers to also take notice.
3. Incentives for Cooperation
Finally, government can create (positive) incentives for cooperation. For example, companies could be offered a discount on forensic services after a cyber attack if they are willing to allow information about how the attack was carried out to be shared publicly (presumably in some anonymized form).
Unfortunately, with the number of IoT devices expected to grow to perhaps 30 billion by 2020 from a current estimate of 10 billion, it is almost certain that the problem will get worse before it gets better, no matter what combination of strategies is employed. With AIR cyber solutions, you can better understand your cyber exposure and risk today.
1 Guidelines have been published by the Department of Homeland Security and the National Institute of Standards and Technology, for example.