What is the Standard for IoT Security?

Written by

The number of IoT products for consumers is growing rapidly. You can use them to adjust your heating or lighting, control access to your home, monitor your baby and keep an eye on your dog when you’re out.

At the moment, buying an IoT product is a bit like getting a tattoo: you want to get one because they’re cool and all your friends have them, but what quality standards are there for the ink used and the artistic level of the artist? In the same way, there are no standards for IoT security – and whatever the superficial attractions of IoT devices, this means there is nothing to reassure you that you won’t get more than you bargained for. 

That’s not to say every device out there is a risk, but consumers need to know what they are welcoming into their homes, and understand that any insecure embedded device they connect to the internet is a potential target for attacks. These could range from spying on them and their family, as highlighted in a recent Panorama program, to inserting malware or stealing their data, or even using their equipment to power a DDoS attack.

There are also cases of random accidents due to inadequate backend software. At the moment manufacturers don’t need to provide any guarantees of the safety of their equipment beyond electrical compliance.

The good news is that steps are being taken to regulate this market. In March 2018 the UK government announced a draft code of practice for IoT products in its Secure by Design report, although this remains a work in progress. In June the EU announced that it was creating a cybersecurity certification framework designed to help ensure compliance with specified cybersecurity requirements. However, there is no date for when this will be implemented, and there are caveats.

Certification will be optional unless specified as a legal requirement under an EU law or Member State law, so it may not even apply to products developed or sold in the UK, and for the basic level of certification, manufacturers or service providers will be able to carry out the conformity assessment themselves. 

In my view, responsibility needs to fall firmly on manufacturers of IoT products. They need to ensure the safety of the equipment they sell, just as car manufacturers should ensure that their cars are safe. After all, manufacturers are the people who benefit from the IoT, for example when a car tells them (as well as you) that it needs a service.

Equipment reporting back to base is a tremendous advantage for manufacturers: in return for selling you a product, they gain huge volumes of data about your behavior at no cost to themselves – data they can use to help produce the next generation of smarter, more targeted products. If their base is outside the EU, data sent here will not be governed by the GDPR, so there are no guarantees about the security of your personal information. 

There are several steps that manufacturers need to take. First, do they have any guarantees about the security of the components they use? This was brought home to me several years ago when visiting potential suppliers in the Far East, when I realized how easy it was for ‘rogue’ components to enter the supply chain. We’ve already seen cases where Chinese CCTV cameras can contain ‘back doors’ that allow unauthorized access via the internet.

Manufacturers need to assure themselves that not just their own software but all components are secure, and should carry out their own testing and certification before their products go on sale. The EU certification may help here by providing standards, but it’s not with us yet.

Second, manufacturers need to provide fixes, such as software updates, if serious safety problems are identified post-production. We are used to this with our mobile phones and should expect the same for our IoT gadgets. However, this is still a rarity.

In the CCTV sector, for example, automatic firmware updates are almost unheard of, and many manufacturers put in software back doors, which are often revealed on the internet.
Third, manufacturers need to communicate regularly with their users. They should explain what security measures they implement and tell users what they should do themselves to ensure their devices are secure, such as changing passwords from the default.

It amazes me that there are many warnings that microwave radiation from baby monitors can be harmful, yet few people consider the very real cybersecurity risks that these devices pose. 
Many manufacturers of low cost IoT products such as IP cameras view security as an overhead, an expense that obstructs sales and complicates technical support procedures, or prevents them selling next generation products by reducing built-in obsolescence.

I hope that with growing concerns about security and the development of standards this will quickly change, and manufacturers will start to sell cybersecurity as the vital added value feature that it surely is.

What’s hot on Infosecurity Magazine?