The pathetic security of many IoT devices has been well known for years. Government action that could finally change this sad fact may finally be arriving. However, these first steps appear to be too little, too late.
“Many IoT device vendors have little to no experience in building internet-connected devices,” F-Secure’s Mikko Hypponen and Tomi Tuominen wrote in 2017. “They build IoT devices to be cheap and to work, but not to be secure.”
More than two years later, not much has changed—except criminals have become more adept at exploiting the security weaknesses of millions of these connected devices.
The number of IoT threats observed by F-Secure Labs nearly doubled in 2018, up from 19 to 38 in the space of a year. But, many of these threats still use predictable, known techniques to compromise devices. Threats targeting weak/default credentials, unpatched vulnerabilities or both, made up 87 percent of observed threats. More than 8 in 10 home and office routers were vulnerable to hacking, according to a 2018 study by the American Consumer Institute. This included five of the six major router brands.
There’s a simple reason manufacturers get away with shoddy security—no one stops them. No regulator has the power to dictate the standards needed to address common security issues.
Experienced manufacturers, like Google and Amazon, have hardened their smart home devices with the help of billions of dollars in assets. But, consumers are generally left to make security assessments on their own. Often, they just end up buying the cheapest device on the market. This has led to the spread of millions of insecure routers, cameras and digital recording devices.
In 2020, that could finally begin to change.
“SB-327 Information privacy: connected devices,” which goes into effect in California on January 1, 2020, could help eliminate one of the most common security vulnerabilities that has plagued IoT devices. The law mandates a password that is “unique to each device manufactured”.
Many IoT threats—especially those that have been developed from the leaked source code of the Mirai malware—target default and known passwords, easily infecting devices.
The use of default or weak credentials is finally diminishing after more than a decade of widespread adoption of this industry-wide “worst practice.” California’s law could be the nail in the coffin for this zombie security failure.
Unfortunately, the rest of the law is far more general and thus likely to be far less effective. The calls for “a reasonable security feature or features” for “any device, or other physical object that’s capable of connecting to the Internet, directly or indirectly.”
Does that sound vague and a bit toothless? That’s because it is.
But, at least it’s a law. This puts California—the home of much of America’s tech industry—ahead of the rest of the world.
Several pieces of legislation have been introduced in the United States Congress. These bills range from producing more consumer education about IoT devices to placing requirements on IoT devices for government use, to establishing much firmer standards for the devices themselves. But, none seem to be on the verge of becoming law.
In October of 2018, the UK released a “first of its kind” IoT security code of practices that lays out 13 guidelines that manufacturers should adhere to in order to safeguard their devices and customers. These are positive but non-binding steps. Since they’re non-binding, they’ve had little effect on manufacturers’ behavior.
That’s a big reason UK’s parliament is working on codifying many of these demands into law. The proposed legislation would duplicate California’s password requirements. In addition, manufacturers would have to state the minimum length of time for which they’ll provide security updates in addition to providing a public point of contact for vulnerability disclosure.
This is a step above California’s law, yet it would likely not address the millions of insecure devices already in the wild. However, a solution that would demand the radical transformation the industry needs already has a foothold in the European Union.
“I think GDPR (the EU’s General Data Protection Regulation) could be extended to actually cover the IoT devices or some other regulation could come into place that would extend the GDPR to actually cover these IoT devices as well,” said Laura Kankaala, F-Secure Security Consultant.
A proven regulation regime that makes vendors responsible for consumer data that extends to all internet-connected devices may be the only hope to reverse years of apathy.
Given that the line between IoT devices and devices people use to get online like PCs and phones keeps blurring to the point that it may eventually become irrelevant, securing IoT devices is more important than ever. Manufacturers have proven they won’t take the necessary steps on their own. So far, governments have proven that they’re only interested in doing too little, too late. Until that changes, consumers of IoT devices are own their own.
Written by Tom Gaffney, Security Consultant at F-Secure