It looks like some high-profile tech companies are coming to their senses when it comes to reducing vulnerabilities in connected devices and improving IoT security. The US Department of Homeland Security is also taking some baby steps toward IoT security and privacy regulations, releasing Strategic Principles for Securing the Internet of Things.
In 2010, Google, Microsoft, Verizon and other tech giants joined FCC Chief Technologist Dale Hatfield in creating the non-profit Broadband Internet Technical Advisory Group. Focused on broadband management and security, the group has published a report that “explores the technical aspects of the security and privacy of networked consumer devices.”
Although not legally required (yet), some of the DHS guidelines recommend security by design, built on security best practices, transparency in the industry, advanced security updates and vulnerability management.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” said Jeh Johnson, secretary of Homeland Security. “Securing the Internet of Things has become a matter of homeland security.”
This is great news, because it finally feels like we’re going somewhere with the internet of things instead of developing unsafe products to gain market share. The connected home device market is a gold mine for hackers because people blindly give away personal data when logging in and, worst of all, their devices dangerously lack security software.
You can’t install security agents on most gadgets, plus engineers don’t develop them with security in mind, which leaves an alarmingly high number of IoT devices exploitable. Usually autonomous, running on outdated software that can’t be updated, malware inserted while in development, and being released with unencrypted default user names and passwords increase security incidents.
Yet, what many users can’t grasp is that not only is their private information exposed or that sex offenders can spy on their children through baby monitors, but that their home devices can be turned into botnets that attack entire infrastructures, shared networks, and soon maybe even governments. Most likely, the recent DDoS attacks through IoT botnets were mere practice for bigger plans.
BITAG also pushes some suggestions forward, however the organization lacks the power to enforce them. Below are some recommendations of the report:
- Develop an inbuilt mechanism for automated, secure software updates
- Implement strong, default authentication
- Test and harden device configurations
- Devices should keep functioning in case of cloud backend failure or disrupted internet connectivity
- IPv6 support
- The use or validation of DNS Security Extensions (DNSSEC)