What happens when you take any old object, give it an Internet connection and a modicum of processing power?
Just like any computing device, they can be hacked and forced to join a sprawling botnet that becomes a potent weapon in a malicious hacker’s arsenal.
This is precisely what is happening with the new Linux/IRCTelnet malware that is infecting Internet of Things devices and using them as nodes in massive networks that are sending Distributed Denial of Service (DDoS) attacks across the Internet.
A working group report by the non-profit Broadband Technical Advisory Group (BITAG) said that the consumer confidence in the Internet of Things was contingent on the security of connected devices. According to BITAG’s Internet of Things Security and Privacy Recommendations report, the increased popularity of consumer-facing Internet of Things devices has opened up new avenues for malicious attacks on networks.
Some connected devices do not conform to basic IoT security and privacy best practices, which allows them to be easily compromised by third parties. For example, devices have been used to instigate denial-of-service attacks, perform surveillance or monitoring, gain access or control to a system or even prompt system failures.
Consumers are vulnerable because they are often non-technical and assume that a manufacturer has taken security testing into account, the authors of the report said. Device owners are also unlikely to update software of their own volition, with the authors of the report noting that most people will never take action without being prompted.
“The emergence of IoT presents opportunities for significant innovation, from smart homes to smart cities,” said BITAG. “In many cases, straightforward changes to device development, distribution, and maintenance processes can prevent the distribution of IoT devices that suffer from significant security and privacy issues.”
This makes the nature of IoT security unique as it requires awareness on both ends of the chain as to the potential risks.
Issues identified by the BITAG report include a lack of Internet of Thingsexperience throughout the supply chain, a reluctance to deploy or develop updates after the sale, problems with secure over-the-network software updates and devices leaving the manufacturing facility with malware already installed. Some connected devices will leak data from both the cloud and the device itself while others will have been shipped without any encryption protocols at all, said BITAG.
How Manufacturers Can Help Patch IoT Security Holes
With that in mind, the non-profit organization—which includes representation and input from Google, Comcast, Microsoft, T-Mobile, Mozilla and AT&T among others—has issued a number of recommendations that device manufacturers should adhere to now and in the future.
See also: Microsoft Launches Azure-Based Security Program For Internet Of Things
The BITAG recommendations are as follows:
- Connected devices should ship with reasonably current software that does not contain severe or known vulnerabilities.
- Connected devices should have a mechanism for automated, secure software updates with the assumption that new bugs will be discovered over time.
- Connected devices should use strong authentication by default and not allow easily guessable user names or passwords—“admin” or “password,” for example.
- Device configurations should be tested and hardened, with manufacturers testing the security of a device with a range of possible configurations.
- Connected devices should follow established security and cryptography best practices.
- Devices should be restrictive as opposed to permissive in communicating.
- Connected devices should continue to maintain a primary function if Internet connectivity is interrupted.
- Devices should function even if the cloud back-end fails.
- Devices should support addressing and naming best practices, such as being shipped with the latest Internet protocols (e.g. IPv6).
- Manufacturers should ship devices with a privacy policy that is easy to find and understand.
- Manufacturers should make consumers aware that device functionality can be decreased by a third party, which includes manufacturers themselves.
- The connected device industry should implement a industry cybersecurity program that highlights whether a device is secure.
- The Internet of Things supply chain should increase their roles in addressing security and privacy issues, including but not limited to customer support, bug reporting, a clear vulnerability process and device support for its entire lifespan.
Although BITAG’s recommendations are a step in the right direction, there is one caveat.
The non-profit organization is not a regulatory body so it can’t force manufacturers to abide by what are essentially logical guidelines. On the plus side, the authors of the report acknowledged that consumer confidence in the Internet of Things would only improve if devicemanufacturers took BITAGs recommendations into account.
“BITAG believes that following the guidelines outlined in this report may dramatically improve the security and privacy of IoT devices and minimize the costs associated with the collateral damage that would otherwise affect both end users and ISP,” the report said. “In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise IoT holds.”
[Source:-ARC]