Gartner predicts that by 2020, IoT technology will be in 95 per cent of electronics for new product design. The same Gartner study also predicts that, by 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety features rather than detection or protection. For those who embrace the benefits of IoT, we may be wondering: Why aren’t governments and regulative authorities doing more about IoT security?
The Internet of Things is quickly becoming the next frontier of technological innovation, but IoT devices are inherently vulnerable, as there is often no way to patch, protect or install anti-virus software, leaving them target to hackers. Furthermore, a major security issues with IoT is that, once these devices are initially installed, whether in a personal or office setting, they often run on their own and are not regularly assessed.
Existing regulations: Where are we now?
In August 2017, the US Senate introduced a bipartisan bill calling for minimum security requirements for IoT devices used by the federal government, offering general and limited recommendations.
The proposed bill, Internet of Things (IoT) Cybersecurity Improvement Act of 2017, requires vendors to ensure that their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain vulnerabilities. Although the Senators introducing the bill have expressed their concerns about the lack of security for IoT devices, little has been done by regulatory authorities to address commercial and consumer applications of the technology.
Early stage regulatory policy is now being drafted in the EU, as IoT security and privacy relates to GDPR compliance initiatives. In the US, the only state that currently seems concerned about the impact of emerging technologies is California. In the latter case, the State of California Senate drafted Bill 327 (not yet ratified) asks connected device manufacturers to include security features in the development stage. It requires manufacturers to “equip devices with reasonable security features,” “design the device to let the consumer know when information is being collected,” and require direct notifications to consumers of relevant security patches and updates. This is a step in the right direction.
While California may be making progress, the US FTC has, to-date, only encouraged IoT and connected device manufacturers to take security into account. In fact, the FTC has only issued one formal report discussing IoT security, which pertained only to consumer devices, failing to take enterprise and commercial applications into account, therefore leaving corporate networks at risk.
Early last year, the FTC issued its third IoT-related enforcement complaint against D-Link, a network equipment manufacturing company, because the company promised consumers that it’s wireless routers and IP cameras were secure, when this was far from the truth. The FTC reported that D-Link could have taken reasonable steps to secure their products against “widely known and reasonably foreseeable” risks. While a public report sheds light on IoT vulnerabilities, and companies putting their customers at risk, a slap on the wrist or a fine is not enough to make IoT manufacturers change their way of doing business.
Other initiatives making progress are the Open Web Application Security Project and National Institute of Standards and Technology (NIST), which has issued reports governing specific security issues, but has yet to address overarching security and privacy concerns arising from IoT devices.
Though regulations have not yet taken off, NIST does identify the constraints of IoT devices that may present security concerns. Concerns include the need for continuous power consumption, which could cause the prices of the devices to increase if encryption or security features are required, the low cost (referring to the previous point), and the lifecycle of the products, which is typically short, and therefore makes regular patches and updates challenging, and a nearly impossible task.
IT executives and consumers alike may be wondering – if these authorities aren’t taking action towards IoT regulations, then who will?
Consider what necessary areas IoT security and privacy regulations need to address. Key areas include:
- Unauthorised Access: A huge area of concern is unauthorised access. To combat the security risk of IoT devices getting into the wrong hands, device manufacturers should be required to design devices with a strong authentication factor built in. This can be easily achieved through existing authorisation methods like multi-factor authentication or creating unique user credentials. Take Apple, for example, requiring two-factor authentication when logging into your Apple ID from a new iPhone or iPad.
- Default Passwords: It may seem like common sense, but this starts with changing default passwords issued by manufacturers. Both consumers and developers can and should be creative with our passwords and ban using simple ones like “1234” or “default.” In addition to being easy to guess, many of these passwords are accessible online through services like the Shodan Network, where users can look up nearly any connected device and locate its factory-issued username and password. Often, consumers and even IT executives in enterprises trust manufacturers, and expect them to be security-minded. But unfortunately, they often are not.
- Data Privacy: What is the limit to the information that can be collected, stored and shared over the internet? Consumers, and even more importantly enterprises, need assurances that their data is protected, and they need to be able to protect such data with strong passwords and authentication credentials. What happens if the smart IT guy hacks the smart coffee machine, thereby gaining access to data loaded areas of the network with everyone’s salary information? The consequences could be significant, but such scenarios are usually afterthoughts to implementing devices, considering IoT’s innovative appeal.
A clear drawback of regulating IoT technology is the possibility of a reverse effect – making IoT inoperable. But as consumers and enterprises continue to adopt IoT into their daily lives and reap the benefits, we can set this worry aside. Regardless, with several real-world examples of IoT devices serving as a hacker’s dream, there isn’t much time to waste. Government authorities need to take the first steps towards IoT security, and they need to start now.
Ofer Amitai is CEO and co-founder of Portnox
Image Credit: Melpomene / Shutterstock