For much of the last year, we’ve noted how the rush to connect everything from toasters to refrigerators to the internet — without adequate (ok, any) security safeguards — has resulted in a security, privacy and public safety crisis. At first, the fact that everything from Barbies to tea kettles were now hackable was kind of funny. But in the wake of the realization that these hacked devices are contributing to massive new DDoS botnet attacks (on top of just leaking your data or exposing you to hacks) the conversation has quickly turned serious.
Security researchers have been noting for a while that it’s only a matter of time before the internet-of-not-so-smart-things contributes to human fatalities, potentially on a significant scale if necessary infrastructure is attacked. As such, the Department of Homeland Security recently released what they called “strategic principles” for securing the Internet of Things; an apparent attempt to get the conversation started with industry on how best to avoid a dumb device cyber apocalypse.
Most of the principles are simple common sense, such as recommending that companies, oh, actually think about security a little bit during the product design phase. Other principles are a bit ironic given the government’s behavior on other fronts, including the recommendation that companies implement encryption at the processor level for devices like the iPhone:
“Use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity.”
Again though, most of the recommendations are painfully basic, including actually “understanding what consequences could flow from the failure of a device,” ensuring devices are more quickly and automatically updated, and engaging in “red teaming exercises” where employees probe devices for vulnerabilities before launch. Still, just getting some of this stuff in writing isn’t a bad idea, given that most of the new IoT DDoS malware relies on something as stupid as not changing default login credentials. So there is value in just establishing some kind of core best practices (apparently incompetent) companies can look to.
As such, the DHS is clear that this is just a “first step”:
“These non-binding strategic principles are designed to enhance security of the IoT across a range of design, manufacturing, and deployment activities, and include relevant suggested practices for implementation. It is a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems. “
The problem of course is that voluntary guidelines are no guarantee that the companies involved will actually adhere to them. After all, these are companies (and IoT evangelists) that were so keen on selling hardware that they couldn’t be bothered to do the bare minimum to secure their products or acknowledge this rising, obvious problem. As a result, you have hardware like the Jidetech 720p WiFi enabled security camera, which security researcher Rob Graham noted this week can be hijacked by malware and participate in a botnet in all of five minutes after being unboxed:
1/x: So I bought a surveillance camera pic.twitter.com/HbmPzrZgFK
— Rob Graham 🦃 (@ErrataRob) November 18, 2016
As a result, there are many security researchers arguing that voluntary guidelines simply won’t be enough. Bruce Schneier, for example, earlier this month proclaimed that the internet-of-broken-things is a clear case of market failure that will require tougher regulations if we’re going to actually solve the problem:
“An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution.”
That’s certainly not going to be good news for the regulation phobic, but Schneier argues the alternative is, quite literally, chaos:
“Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner.”
One problem of course is that U.S. regulation certainly won’t help deter the rest of the world from creating internet-connected devices that can wreak havoc on vital infrastructure. There’s also the very real concern that federal regulations would be crafted poorly, restricting sector innovation or consumers’ freedom to tinker with their own device. In fact, many of these devices have such abysmal interfaces and control systems that hacking and modifying them is in some instances the only path to actually securing them and controlling what traffic is being sent over the network.
As such, IoT regulation is going to be a debate that rages for several years, when it’s not entirely clear we have several years to waste. In the interim, the only recourse left to consumers continues to be to establish smart security in your own home and business, and continue to name and shame IoT vendors that clearly prioritized profits over human lives and the health of the internet at large.