The importance of regulations for a secure Internet of Things
Earlier this year, a security researcher discovered a trio of security flaws in popular D-Link routers. The flaws applied to eight of the D-Link routers however the reply he received from D-Link was to say that they would patch two of the devices but the other six would not be patched as they were considered ‘End of Life’. D-Link are not the only manufacturer with unpatched devices as a recent American Consumer Institute (ACI) report highlighted that 155 out of 180 routers had unpatched flaws. It is now more a question of which routers do not have unpatched flaws.
Of course, it is not only the owner of these unpatched devices who could suffer but the global Internet audience suffer as a result of unpatched Internet of Things (IoT) devices. For instance, of late D-Link routers have suffered from a DNSchanger-like attack which has now grown to affect more than 70 different devices and more than 100,000 individual pieces of kit. The flaw was used to attack Banco de Brasil customers via a DNS redirection that sent people to a cloned Website that stole their credentials.
For some time, the security industry is only too aware of the issues caused by IoT devices installed with default passwords which are known to hackers. The Shodan website exists to show users all these devices. A root problem is that many of these devices have pre-installed unchangeable passwords which is utterly careless on behalf of the manufacturers.
Only a few IoT manufacturers are considering the correct forms of cryptographic algorithms and modes needed in particular for IoT devices. There is an international ISO/IEC 29192 standard which was devised to implement lightweight cryptography on constrained devices. There was a need for this as many IoT devices have a limited memory size, limited battery life along with restricted processors.
Therefore, one option is to place regulatory pressure on the manufacturers to ensure devices are rolled out with adequate security and that they have a roadmap in place for speedy patches once vulnerabilities are disclosed. This is actually starting to become a reality and this year in California, the Governor Jerry Brown signed a cybersecurity law covering “smart” devices, known as Senate Bill No. 327. It passed the state senate in late August.
This bill starting on January 1, 2020 requires a manufacturer of a connected device to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
In more detail, a manufacturer of a connected device shall equip the device with reasonable security features that are appropriate to the nature and function of the device & the information it may collect, contain, or transmit. The device should also be designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
They recommend each pre-programmed password is unique to each device manufactured and that devices contain a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Training Professional IoT installers
Another avenue is to ensure that those in the industry who install IoT devices are adequately trained in cybersecurity and can make informed decisions as to the security of the devices they install. Training of these individuals such as gas engineers and plumbers is outlined in a UK government report on “the internet of things” (IoT) which focuses on security by design.
The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.
Here they proposed for the first time in the UK that professional IoT installers should have to undergo mandatory cybersecurity training to prevent smart devices from being exploited by criminals or state-sponsored attackers. This can be done by having security professionals work more closely with industry bodies to “embed IoT training as standard” for engineers who work with connected devices.
One such body is Trustmark which is a Government endorsed scheme to marginalise unscrupulous traders undertaking repair, maintenance and improvement works in and around the home so as to create online training and provide guidance to local tradesman and installers on IoT security.
This is a welcome move and as we traditionally expect workmen to understand traditional components that they may fit in homes such as lighting, boilers & electric meters so too moving into the future when most components are connected to the Internet – we should expect that installers have as a minimum, a reasonable understanding of the inherent risks involved in these Internet of Things devices. A network is only as secure as its weakest part and increasingly we are finding that this is an IoT device.
We now know that when router makers say end of life, some of them actually mean it, so perhaps it is wise to know when to throw out that device. A sensible question, we as an industry could ask is what constitutes a reasonable length of time to expect Internet of Things manufacturers to maintain a product. That is an issue for another day.
In summary, pressure needs to be placed on IoT manufacturers to implement best practice in securing these devices before they leave the factory. We know the public will be unaware of the need to update their lightbulbs so we in the security industry must force the manufacturers to not make it so easy for the hackers to exploit them.
As we have seen lately, we are now all at risk from IoT devices which were thought to be too dumb to cause harm. The opposite is the truth. Unpatched, poorly deployed dumb devices have the power to bring the Internet to its knees. The new legislature as seen in the USA is a step in the right direction.