When it Comes to Securing the IoT, Where Does the Buck Stop?

Written by

In case you hadn't noticed, the Internet of Things (IoT) is already here, woven throughout our homes, hospitals, workplaces and cities. Nor is it going away. A recent prediction from IHS Markit predicts that the number of connected devices will reach 125 billion by 2030. 

The possibilities are exciting, and it's hard not to register the blank enthusiasm coming from all levels of society. Before we get too giddy, we’ll have to take a stern look at this bold new frontier’s security horizon. For those who haven’t been appraised of the situation, it’s not good, and someone is going to have to take care of this mess. 

Somewhere between when we decided to put computers into our automobiles and last year’s DDoS attack on DNS provider Dyn, which took down large parts of the internet with a botnet cobbled together with baby monitors and IP cameras, we should have started asking where the buck should stop when it comes to securing the IoT.

At some point this became an issue of public security and criminal justice, so it makes sense that at least part of that responsibility for addressing this problem lies at the state level. There are already attempts to address this issue in the halls of power, albeit narrowly.

There is still little IoT specific regulation. The European Union Agency for Network and Information Security published a damning paper earlier this year, stating that there was “no level zero defined for the security and privacy of connected and smart devices.” Nor did the agency find any “legal guidelines for IoT device and service trust.” 

This is a problem that can be found internationally; data protection and privacy legislation that could act as some kind of IoT regulation, but only if stitched and jig sawed together. 

Jurisdictions matter too and they become even more problematic when you take global supply chains into account. With IoT production continuing to grow, it won't be easy to ensure that all products in all jurisdictions pass a parochially defined security test, especially when much of the cheap, insecure IoT products that consumers so love are made in countries with low regulatory barriers. 

The level of production seems like a good place for responsibility to rest. It is after all the manufacturers who rush devices through with easily guessable passwords, known vulnerabilities and no ability to patch. That said, they’re going to need something to compel them to do so and, as mentioned, there is little to fulfil that purpose on a political level. 

Consumers, the last line of defense, may vote with their feet. Larger businesses and organizations should certainly know better and there is already data protection law in place around the world, like the GDPR, that could partly encourage them to use more secure devices. 

As for the average home user? It is doubtful. Many are still blissfully unaware of the kind of threat their Wi-Fi fridges pose to them. It might seem convenient to place the blame with them who eagerly buy up such devices and don’t bother to take basic precautions. That, however, does little more than satisfy our own frustrations.

A Pew survey conducted last year found that while 54% of internet users were able to identify a phishing email, 73% were unsure of what a botnet even was. 

In more general terms, the public seem listless at the prospect of securing themselves. Another study from the US National Institute of Standards and Technology (NIST) feel helpless when it comes to online security. 

The report noted “participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue”. That security fatigue: “contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice”.

The fact is, if you want people to change default passwords and apply patches, you have to be able to tell them why it's important and what it means for them. 

The future ahead is not all gloom and has a lot of potential. As the commonly available industry standards become available on IoT platforms; these devices could co-exist within the enterprise ecosystems with proper management and controls.

Organizations should take pro-active steps to profile and protect their network with role based access controls to avoid their networks become potential vectors of attacks.

Another important consideration is to allow IoT devices with limited bandwidth and UI capabilities to have UI-less but secure methods of authentication and communication. Consumers can setup systems to allow access based on security profiles instead of just completely locking down their networks.

What’s hot on Infosecurity Magazine?