The March 2024 issue of IEEE Spectrum is here!

Close bar

Which Path to IoT Security? Government Regulation, Third-Party Verification, or Market Forces

The security flaws within the Internet of Things must be fixed, or denial-of-service attacks will only worsen

4 min read
Illustration of a padlock
Illustration: iStockphoto

On Friday, a series of distributed denial-of-service attacks hit Dyn, a company that provides a form of traffic control for popular websites, and interrupted some users’ access to sites including Github, Twitter, and Netflix. Since then, it has become clear that these attacks were made possible by security vulnerabilities in millions of devices within the Internet of Things.

On Monday at the National Cyber Security Alliance’s Cybersecurity Summit in New York City, industry leaders from security firms, Internet service providers, and device manufacturers fretted over the implications. Panelists spoke about the existential dangers that companies in the fast-growing IoT sector face if they continue to fail to secure these devices and debated ways in which the industry can improve security within this ecosystem.

“Friday showed us that the genie is well out of the bottle at this point,” said Andrew Lee, CEO at security company ESET North America. “This should probably be the wake-up call to manufacturers to start taking this seriously.”

While it’s still not clear who executed Friday’s attacks, Dyn has announced that hackers orchestrated it across “tens of millions” of IP addresses gathered through Mirai, malware that scans the Internet for connected devices with weak security. The malware then enlists these devices into a massive global network called a botnet. Increasingly, hackers have used these networks to launch distributed denial-of-service attacks, in which they instruct many devices to send traffic to a target at once in order to overload its capacity and prevent real users from accessing a website or service.

Experts agreed that the responsibility for securing IoT devices rests with the companies that manufacture them rather than the consumers who bring them home

Distributed denial-of-service attacks have been around for decades, but Mirai has made it much easier for hackers to quickly assemble a large botnet by co-opting IoT devices, since many have weaker security than laptops or smartphones. A hacker can often access a device by simply logging in through a default password that a manufacturer assigned to millions of devices—a lazy strategy that would be akin to Honda handing out identical keys for all of its 2017 Civics.   

In September, the hacker who created the Mirai malware released its source code to the public, essentially setting it loose for other hackers to use. Security experts knew it wouldn’t be long before cybercriminals wielded its powers to build vast IoT botnets for attacks that were bigger and more powerful than ever before. Less than a month later, Kyle York, Dyn’s chief strategy officer, wrote in a post on the company’s site that Friday’s assault is likely to be seen as “an historic attack.”

The fear of becoming vulnerable to hackers through poorly secured IoT devices isn’t just a problem for consumers—it also impacts industrial projects. Anthony Grieco, a senior director for security at Cisco said 39 percent of Cisco’s corporate customers have halted a major digitization project because of concerns about IoT security.

Right now, it’s clear that many manufactures are still failing to incorporate adequate protections into their products, and there’s no gold standard of security for IoT devices that the industry has agreed upon. Selling products with vulnerabilities can certainly hurt business—Chinese manufacturer Hangzhou Xiongmai Technology has recalled webcams made with its components after learning that they were among the devices used in the Dyn attacks. And a consumer survey of 1,527 U.S. adults released Monday by ESET and the National Cyber Security Alliance found that 50 percent of consumers have declined to purchase an IoT device because of security concerns.

But market forces alone may not be enough to persuade manufacturers to spend the extra time or money to ensure that their products are safe. An alternative solution would be for legislators to pass laws or government agencies to implement policies that require IoT manufacturers to build certain protections into their devices and to provide regular updates and patches as new bugs are discovered.

However, Lee at ESET North America said government regulation is difficult to apply to cybersecurity. By the time regulations are in place, new threats and solutions have inevitably popped up.

The National Institute of Standards and Technology has developed a voluntary cybersecurity framework that companies and organizations can use as a guide to identify and protect against cyberrisks. However, it was intended to protect critical infrastructure such as the electricity grid and water treatment plants and does not have specific recommendations for IoT devices.

At Monday’s summit, Sami Nassar, vice president for cyber security at NXP Semiconductors, suggested a third-party verification program in which an independent group would assign a stamp or endorsement to the packaging of IoT devices if it met certain minimum security standards. This approach would be analogous to the Fair Trade USA certification or the way the U.S. Department of Agriculture regulates the use of the term “organic” for food products. “You need to have minimum rules with a minimum level of security that a product must have to enter the ecosystem,” he said.

Other industry-driven solutions have also begun to surface—for example, Apple’s HomeKit includes products such as fans, locks, humidifiers, and thermostats from many manufacturers but supports only models that have met Apple’s security specifications. Lee of ESET North America also suggested that insurance companies could play a role in improving the security of connected cars by refusing to insure those which remain vulnerable to hackers.

However, Matthew Cook, cofounder of video game security company Panopticon Labs, pointed out that all of these solutions assume it’s possible for cybersecurity experts to agree on a set of security standards for IoT products. In reality, a product’s threat model might change significantly from the time it is designed to the moment it hits store shelves.

Regardless of the approach, the experts agreed that the responsibility for securing IoT devices rests with the companies that manufacture them rather than the consumers who bring them home. Any action that the average consumer must complete (such as changing a default password) also represents a potential vulnerability if that action remains undone. Neil Daswani, chief information security officer at identity protection firm LifeLock, offered a simple litmus test for any cybersecurity features in a consumer product: They should be as easy to operate as a TV remote control, if manufacturers want consumers to actually use them.   

The Conversation (0)