Investment in IoT has increased and resistance to adoption has decreased, according to a survey conducted by Zebra Technologies Corporation. However, despite this increase, fears of iot device insecurity are still present. In October 2016, the Mirai botnet amassed a massive botnet army of connected devices, which was eventually used in a distributed denial of service (DDoS) attack that outperformed the capabilities of some of the world’s largest Internet providers and toppled the Internet across the east coast of the United States.
Mirai’s authors began building their tool as teenagers, amassing a horde of IoT zombies using familiar (and easily avoidable) techniques for decades. Unfortunately, the norm for IoT devices is lax security: simple, encrypted (non-modifiable) passwords and operating systems that cannot be patched or updated with security protection.
That same year, the European Union parliament instituted the General Data Protection Regulation (GDPR) and provided a two-year transition for its implementation. May 2018 marked the beginning of non-compliance and the implementation of sanctions and strict fines.
However, a comprehensive 2018 research study by Cybersecurity Insiders indicated that only 7% of the organizations surveyed fully complied with. Nearly 60% broke the rules at the time of the survey and further indicated that they lacked expert staff or budget to implement the necessary changes.
At a particular level
At the particular level, the adoption of IoT devices stands out in the Asia-Pacific area, where according to a survey conducted by the Internet Society, seven out of ten respondents said they already had at least one IoT device and nearly half said they had at least Three.
Data security, however, was a major concern. About 60% respondents who did not currently own an IoT device cite the lack of certainty that their personal data would be protected as a reason not to own one.
Most respondents express concern about:
- 81% is concerned that your personal information will be leaked.
- 73% is concerned that hackers will take control of your device and use it to commit crimes.
- The 72% is concerned about hackers gaining access to personal information.
- Al 71% le preocupa ser monitoreado sin su conocimiento o consentimiento.
Despite serious concerns about IoT security and privacy, many respondents have not taken any steps to protect themselves from IoT threats. Only half of those with at least one IoT device have changed the default password on all their IoT devices, and only one in three have read the privacy policy that came with the device.
Among those who haven’t changed the default password on their device, the 30% made the decision not to use a password and the 10% did not know how to change it. About half of respondents say their devices don’t have a password, but it might also be possible that they weren’t aware that their devices do have it.
While there may be greater awareness of the need for IoT security and privacy, efforts should also be made to empower consumers with options, tools, and capabilities to take control of their security and privacy. The devices include clear instructions on how to change the default password and adjust security and privacy settings, as well as present privacy notices and options easily understandable to customers in settings or purchase of an IoT device.
Rajnesh Singh, Asia-Pacific director of the Internet Society, said:
“There is a need to ensure that manufacturers and suppliers of IoT products and services protect consumers and the privacy of their data. Currently, the current measures do not coincide with the degree of concern of current and future owners of IoT devices.”
At the business level
As mentioned above, the adoption of IoT devices in enterprises is increasing, however, there is a large disparity between the extent to which organizations are adopting IoT and its security disposition cybernetics.
While most organizations plan to increase adoption of IoT technologies, only 28% consider IoT-specific security strategies to be “very important,” according to the IoT Cybersecurity Readiness Report, published by Trustwave.
The report also provides strong evidence of IoT expansion. 64% of the organizations surveyed have implemented some level of IoT technology, while another 20% plans to do so in the next 12 months.
Ironically, the 57% cites security concerns as the number one barrier to further adoption of IoT, followed by “not relevant to operations” in a 38%, and the “lack of budget” in a 27%.
The code of good use
At this point and avoiding repeating the situation of Asía-Pacifico, on October 14, 2018, in the United Kingdom the Department of Digital, Culture, Media and Sport (DCMS) published its “Code of Practice for Consumer IoT Security.”
Developed over two years, in conjunction with the National Cyber Security Centre (NCSC). The document seeks to “support all parties involved in the development, manufacture and retail of IoT for individual consumers” and create an environment where products are “safe”.
To this end, the code sets thirteen practical, results-focused steps that organizations can take to implement security solutions that are appropriate for their products.
It is important to note that, in developing the guidelines, DCMS took advantage of existing standards and guidance from the private sector, government and academia, including the summary of the 2016 edition of the Atlantic Council, “Smart Homes and Internet of Things.”
Mapping the report
The code highlights its first three guidelines: unique passwords, implementation of a vulnerability disclosure policy, and updated software maintenance, as priorities. Similarly, the Smart Homes summary points to these three principles, offering the greatest short-term security benefits.
The document contains maps of the guidelines of the card or to: “keep the software up to date”, “ensure that personal data is protected”, “facilitate the installation and maintenance of IoT devices”, ” minimize exposed attack surfaces” and “make systems resistant to disruption.”
Finally, at a broader policy level, the problem with Smart Homes that is evident in the code is that future IoT products must follow the “safe by design” philosophy. The problem summary indicates that security that is not “built-in” should be included after troubleshooting, and security that is simply “on” is more expensive and less effective than the built-in security since the start of the life cycle of a product.
A secure design philosophy gives greater control to the consumer, increases trust between consumers and producers, and facilitates the ongoing development of the industry. The code echoes these sentiments and explains in its executive summary that the objective of the Code is to “ensure that products are safe by design and make it easier for people to stay safe in a digital world.”
Implementation by the UK government
DCMS’ broader ambitions demonstrate the intention to implement the code through voluntary and regulatory means. Importantly, industry partners HP and Centrica have already formally signed the code and many devices already implement some or all of these elements.
Under a voluntary labelling scheme, producers would provide consumers with the important information they currently lack. Continuing the trend of consumer education, the UK government plans to support consumer organisations by using the code as the basis for product qualification, purchasing guides and the safety guide for evaluate IoT products at every stage of their lifecycle.
In addition, like the United States, the UNITED Kingdom has identified a significant shortage of trained cybersecurity professionals. This, combined with the rapid development of IoT technology, means that there is a lack of capacity to protect IoT products and services from increasingly complex cybersecurity threats.
Therefore, through its CyberFirst summer courses, the British government aims to educate the next generation of IoT security technology professionals.
While non-binding schemes are useful, the British government also plans to place certain guidelines on a regulatory basis. The eighth guideline “ensure that personal data is protected” can already be legally enforced through the Data Protection Act. The code can also be used as a basis for taking regulatory action against specific products, such as germany banning children’s smartwatches, which it considers unsecured spying devices.
Finally, the British government intends to work with international partners in industry, standardisation bodies and governments. Based on the United States, where harmonization can already be seen through laws such as the similar bill, the Internet of Things Cybersecurity Improvement Act (IoT) of 2017, which applies to government-acquired IoT devices.
Conclusion
The fact that so few organizations seem to attach great importance to IoT-specific security policies and technologies is alarming, especially as business vendors have been warning of the dangers for years. It makes sense that the attack surface of IoT is large and always expands, opening the network not only to attacks targeting individual organizations, but also to device types across IoT.
All security policies should cover IoT, especially where incoming regulations, such as GDPR, impose severe economic sanctions for data breaches. The fact that some may occur through IoT will not be an excuse.
