Friday, October 09, 2020

The Internet of Things to Get Smart About (Cybersecurity Awareness Month, 2020, Day 9)

I applaud the organizer's of 2020's Cybersecurity Awareness Month for focusing attention on the Internet of Things (IoT) early in the month. That's because, like many cybersecurity professionals, I think IoT is increasing the already enormous challenge of protecting the privacy of consumer data and the security of online activities, including online transactions. (In technical terms. IOT is increasing the number of attack vectors and expanding the attack surface, terms I will come back to later in the month.) 

To be clear, IoT is a broad term for electronic devices that use digital technology and connect to the internet but are not traditionally thought of as computers, things like remotely accessible smart thermostats and smart appliances, connected toys, home security cameras, and so on. Whether you have been turning your home into a smart home or just watching a smart TV, then you are using IoT devices.

Here's an awareness message you may see on social media this week from Stay Safe Online talking about the need to protect internet-connected devices:

Every new internet-connected device is another entry point for a cyber criminal. If you connect it, protect it. Know what steps you need to take to secure all internet-connected devices at work and home. Do Your Part. #BeCyberSmart 

And here's an article from a security software company offering tips to help secure your smart home and IoT devices. You can read another "actionable" IoT article here

What's the problem?

At this point you may be wondering: why are these IoT devices so risky? Well, as I said in the video in yesterday's blog post: many digital products have holes in them. These holes are technically referred to as vulnerabilities. Once a digital product is available to purchase, some people will probe them to see if they can find vulnerabilities. If they find a vulnerability, then they will try to figure out if it could be exploited for selfish purposes. What happens next depends on the finder. Here are some common scenarios:

  • A. The finder—possibly an academic, university student, security company employee, independent security professional, or freelance coder—is a responsible person so they notify the maker of the product that a potentially exploitable vulnerability exists. They may or may not receive a reward and/or recognition for this (some companies have formalized of process for this in what are called "bug bounty" programs).
  • B. The finder sells the vulnerability, and/or an exploit based on it, to a criminal (for example, to make more money or faster money than in scenario A).
  • C. If the finder of the vulnerability/exploit is a criminal they will decide when and how to monetize it based on current conditions (for example, if current email phishing scams are profitable using known exploits, they may delay use of newer ones).

What should happen and often does happen is that the the maker of the product fixes any potentially exploitable vulnerabilities as soon as they are aware of them. This can often be done with a software update that "patches" the hole. That's why you will see this #BeCyberSmart message out there:

Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. #BeCyberSmart by turning on auto-updates. 

Unfortunately, some holes are hard to patch, particularly if they are baked into the product. A classic example is a default password "hard-coded" into a device. That is a hole that can only be fixed by changing the hardware, something that may cost more in time and effort than the device is worth. 

And of course, once a default password becomes known, criminals can use it to access and abuse the device (something that happened in the Mirai Dyn DDoS Attack of 2016 which exploited default passwords in digital video recorders (DVRs) and IP cameras).

Help may be on the way in the form of IoT Standards

Fortunately, some governments are taking action to address IoT insecurity, motivated in part by the sheer scale of the potential problems they can create. For example, the Mirai Dyn incident I just mentioned probably cost online stores millions of dollars in orders, not to mention the massive productivity hit from thousands of companies activating their crisis response teams to deal with the situation. 

There are way more IoT devices connected to the internet today than there were in 2016 when the Mirai Dyn incident occurred. By 2025, there could estimated 75 billion internet connected devices worldwide, a fix cited in this extensive UK government report on IoT security

The main focus of government action on IoT security right now is to establish standards, as discussed in that UK report and this IEEE article. I am not going to go into these emerging standards right now but you should know that California has already passed a law in this regard. The California IoT Security Law requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. 

And just this month, Singapore launched a new cyber security label for smart home devices. The government of Singapore hopes to have the standards behind this labelling adopted overseas. This announcement made me very happy because it is exactly the type of action that will facilitate one of the three calls to action I made in yesterday's video: use your buying power as a consumer to chose safer, more secure digital products. 


No comments: