IoT device breaches: Consumers can help, but onus is on device vendors
IoT device manufacturers have by and large flooded the market with web-connected products that have little or no security measures to speak of. There remains such a focus on usability, features and time-to-market (especially with the more ubiquitous lower-end devices) that there’s a real threat to the long-term viability of the industry if it cannot achieve a balance delivering products that are as secure as they are desirable and affordable.
This current absence of effective IoT device security is increasingly empowering hackers, who use malware to remotely take command over unsuspecting connected devices. Hackers can then aggregate the bandwidth of these devices for use in botnet-powered distributed denial-of-service (DDoS) attacks, which have proven plenty capable of taking major websites and network infrastructure instantly offline. Alternatively, devices can be exploited to carry out ransomware and other malicious attacks. And, as has also been shown, IoT devices on the market have even automatically opened home router and firewall ports — essentially rolling out a red carpet for hackers, all in the name of simplicity for consumers.
Part of the problem here is certainly the relative difficulty of updating IoT devices with more secure and current firmware. While some device vendors are beginning to provide automatic firmware updates when new vulnerabilities and exploits are recognized, many, many more IoT devices can only be updated manually or no longer have official support whatsoever. In order for updates to arrive, vendors must invest in the infrastructure necessary to develop and deliver new firmware. (This means, of course, they must also see the business value of such an investment.) More often than not, though, vendors support devices for a limited time and vendors that go out of business cannot provide further support at all. Firmware update URLs once belonging to defunct vendors could even be exploited by malicious actors to control device traffic — yet another glaring weakness to the security of these devices.
It’s critical that consumers become savvier when it comes to the IoT devices they select for purchase, thus putting pressure that might be needed to fast-track a change in these practices. But really, the onus is on the manufacturers. Device makers must collectively acknowledge the long-term value of collaborating to adopt and enforce standardization and best practices, in pursuit of a more secure IoT that stops making headlines for massive vulnerabilities and breaches. Ultimately, customer safety and an internet safe from future IoT botnet attacks depend on wise and decisive action by the industry stakeholders of today.
Currently, IoT vendors utilize a variety of disparate and incompatible technologies, from custom closed-source approaches to open source technologies applied in vastly different ways. However, by supporting common standards, such as IoT devices from different vendors using the same technologies and practices, it would become possible to secure and support all devices using widely available open source firmware. Thus, even those devices from extinct vendors could be fully secured.
The industry is seeing the dawn of what could be adopted as these needed standards. One candidate, the Arm Platform Security Architecture, provides a standard framework for IoT device security. A draft document by the Internet Engineering Task Force (IETF) offers the Manufacturer Usage Description (MUD) standard, establishing a common foundation for communication and access requests between IoT and security devices such as routers and firewalls. With MUD in place, even IoT devices with poor security could only access necessary services, thus imposing more effective security on them. In this way, the MUD specification is being explored as a method for preventing IoT devices from being used in DDoS attacks. Some industry vendors are also developing advanced approaches that utilize the technologies including AI, predictive security and proactive behavior-based threat recognition.
The technology and frameworks needed to standardize and secure the IoT industry are quickly becoming available, but vendors must have the will to match. In many ways, achieving a future in which a thriving IoT industry realizes its full potential depends on it.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.