SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Standards, regulation, and accountability are required to avoid IoT Armageddon
Wed, 2nd Nov 2016
FYI, this story is more than a year old

Potential security concerns regarding the deployment of an ever-increasing number of Internet of Things (IoT) devices are well documented.

However, such concerns routinely focus on the potential vulnerabilities of individual solutions rather than recognising the implicit dangers in a global system that is only “as strong as its weakest link.

The Dyn DDOS event is a wake-up call

The recent Dyn distributed denial-of-service (DDoS) attack has caused consternation in the technical communities intimately concerned with the “plumbing” of the Internet.

While the debate as to who, what, and why the attack took place remains the subject of detailed sleuthing, a security paradigm shift has occurred that is going to challenge governments worldwide.

The attack used a large botnet of low-grade, poorly secured Internet devices – it's possible that your fridge, your neighbor's router, or my TV was involved.

As the number of devices connected to the net increases exponentially, there is a significant aggregated risk to overall network integrity from millions of low-cost, poorly-designed, never-patched, unmanaged devices coming online.

Where cost is the prime determinant of low-end, no-brand devices' security is an afterthought, if it is even thought of at all. Products with no password, default passwords, no encryption, open insecure ports, known vulnerabilities, and an inability to patch flaws even if they are detected abound at the cheap commodity end of IoT.

While an initial response is often “buyer beware,” unfortunately, in aggregate, these devices have the capability to wreak havoc on the wider population.

Regulation may be a dirty word, but when products have the potential to cause significant harm, society expects government to mandate standards and regulate to ensure they are adopted.

Motor cars must be built to safety standards, and manufacturers are held responsible when they are not – as Toyota found with its faulty accelerator issues. Samsung's recall of the Note 7 due to the potential fire hazard is similarly well known. In both cases, well-respected companies recalled their product due to consumer and government pressure.

In the IoT space, the greatest risk is generally not from the well-known products, which tend to be designed with security considered from the outset and are promptly remediated when flaws are detected. The biggest concern is with low-end generic or unbranded devices from smaller manufacturers.

Addressing the challenges posed by these products will require administrations to consider a model like electrical goods or children's toys, where, regardless of price point, minimum standards must be maintained and local safety regulations complied with.

Furthermore, manufacturers and their local distributors are held liable for loss or damage resulting from substandard design.

Identifying what those minimum standards should be will be challenging, not least to ensure that the system isn't gamed by vested interests to reduce competition, but the Dyn event highlights the frightening potential from continuing with an “anything goes” approach to network device connectivity.

Just as the new-model virtual businesses, such as Uber and Airbnb, are requiring governments to rapidly develop new-model regulations, pervasive IoT will necessitate legislators walking a fine line that protects the “Internet commons,” without stifling technical innovation.