Government calls for revamp in IoT security; will manufacturers listen?
Government plans for IOT security welcomed but also criticised as being only a set of advisories and recommendations which do not include watertight regulations around credentials and authentication.
Amid rising concerns about the security of IoT devices, the government today announced its intent to make manufacturers of IoT devices responsible for the security of their products, while also proposing new rules to ensure that buyers are aware of security features in such devices at the time of purchase.
Even though the adoption rate of IoT devices in the UK has been quite healthy, if not the fastest in the world, the IoT industry is still beset with several critical issues as far as the security around such devices is concerned.
While security researchers have, time and again, exposed glaring vulnerabilities in a large number of such devices that could compromise the security and privacy of consumers, manufacturers of such devices have shown little concern towards improving product security, while continuing to churning out a large number of IoT devices.
Having taken note of such concerns, the government today announced new measures to ensure that IoT devices will not only be 'secure by design', but also to ensure that buyers of IoT devices will be able to make informed decisions while purchasing new devices which might promise great new features but may contain critical security flaws at the same time.
"Poorly secured devices threaten individuals' online security, privacy, safety, and could be exploited as part of large-scale cyber attacks. Recent high-profile breaches putting people's data and security at risk include attacks on smart watches, CCTV cameras and children's dolls," it said.
Onus on manufacturers
In a new policy paper titled 'Secure by Design', the government has talked about how manufacturers of IoT devices need to prioritise the cyber-security of IoT devices during the design process rather than introducing patches to respond to emerging threats from time to time. This is intended to ensure that IoT devices will be inherently secure and will contain fewer design flaws that hackers could exploit to compromise the security and privacy of users.
Among measures that the government wants manufacturers to implement while designing IoT devices are the introduction of unique passwords for each device instead of using default passwords, encrypting sensitive data transmitted over apps and products, bringing in a process to automatically update products, offering clear guidance to consumers on update policies, enabling consumers to delete personal data on devices and products, and making installation and maintenance of devices easier.
The government also wants to ensure the introduction of a product labelling scheme which will ensure that consumers will be better informed about a product's security features at the point of purchase. While accepting that IoT devices cannot be forever secure, it has also asked manufacturers to have a point of contact so that security researchers can report issues immediately.
"We want everyone to benefit from the huge potential of internet-connected devices and it is important they are safe and have a positive impact on people's lives. We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed," said Margot James, Minister for Digital and the Creative Industries.
Several companies in the sector emailed SC to voice their opinions and ongoing concerns.
Commenting on the government's new initiative to better manage the security of IoT devices, Keith Graham, CTO at SecureAuth, said that while the initiative has been a long time coming, it's important to remember that it is only a set of advisories and recommendations and that it doesn't include watertight regulations around credentials and authentication.
"While using two-factor authentication where possible is a step forward, ultimately two-factor just isn't enough. Striking the balance between user experience and security is always going to be tricky, but access to any internet connected device needs to go beyond the advice in this plan. IoT security is crucial, let's not allow authentication to take a back seat too," he said.
Mark Weir, director of cyber-security for Cisco UK & Ireland, also said that while it is encouraging to see the UK Government introducing compliance measures to ensure that connected devices are secure straight from the design room, it is only half the battle as securing only the end-points is not the ultimate solution.
"Whilst the ‘Secure by Design' initiative is a promising step in the right direction, we must not overlook the fundamental importance of securing our networks. To ensure our nation collectively remains safe we must ensure that smart devices are connected to a network that is equally as secure end-to-end, providing full visibility to any threats as they emerge so that they can be contained and dealt with responsibly," he said.
Are consumers serious about their own security?
Matthew Berry, from the Global Security Practice at World Wide Technology, says that the problem is more about the seriousness of consumers, or lack of it, about the security of their IoT devices.
"Think about the typical consumer who purchases an IoT device and exposes it to the Internet. They are not likely to visit the vendor's site to look for security updates. Even if an update is made available it's not likely to be installed," he laments.
Matthias Maier, security evangelist at Splunk, agrees. "We need a mindset change from consumers to shift their purchasing habits from selecting the cheapest device to choosing the most trusted device," he says.
"This change will happen as consumers become more educated and savvy about what they select and it's great to see the UK Government pushing understanding further with the launch of this report."
Ralph Echemendia, better known as "The Ethical Hacker" and CEO of Seguru, says that while there is no doubt that IoT devices need to be secure by design, educating consumers on how to use these devices safely is equally important.
"Let's take a smart toy, for example. Many parents don't truly know and understand how these devices may be used or, more specifically, exploited by malicious hackers. The problem is consumers are often bombarded with information that moves away from how to protect themselves and focuses on the dark side of security that most don't understand. Both consumers and technology creators need to be involved in balancing risks and functionality to create a safer connected future for all," he says.
Little effect on manufacturers
Despite the fact that the government has brought in a wide-ranging initiative to put the onus of IoT device security on manufacturers and introduced a draft code of practice, Jon Geater, CTO of Thales eSecurity, isn't getting his hopes up.
He says that while the government's guidelines contain basic common sense considerations for makers of connected devices, the industry has still not reached a point of mandatory compliance and manufacturers will continue to ignore such recommendations as people chase the IoT trend.
He adds that considering how manufacturers fail to include even basic security features in their devices, it will be a long time before the industry starts talking about more advanced security features that are required to defeat bigger recent problems like the Mirai botnet attack.
"Given these are voluntary guidelines I'm not optimistic that they will be followed by manufacturers around the world. For consumers to trust the innovations they use, and to ensure that tomorrow's IoT devices don't impact on critical communications infrastructure, we need buy in from all companies involved. Without this, our brave new IoT world may fail before it's taken off," said Richard Parris, CEO of Intercede.
David Emm, principal security researcher at Kaspersky Lab, also agrees with the fact that the government's guidelines will have little impact on the overall security of IoT devices unless they have regulatory backing.
"While it could be argued that voluntary standards are weaker, since it leaves room for irresponsible manufacturers to ignore good practice, by no means are they necessarily meaningless. If the government allows manufacturers who comply with the standards to display a clearly-visible mark (like the British Standards Institute kitemark), it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage," he says.
While the use of BSI kitemarks will make it easier for consumers to choose products that feature adequate security, Derek Weeks, VP and DevOps advocate at Sonatype, says that with GDPR approaching, manufacturers should use a DevSecOps approach to eliminate the challenges of vulnerable software components in their products. According to him, this approach will help manufacturers automate security and governance from the start and implement standards everywhere within a DevOps pipeline.
"Instead of using manual reviews of code, which leaves businesses at risk of human error, DevOps practices can utilise machines to adjudicate all components. With these latest guidelines recommending that software be automatically updated, we expect to see more and more businesses implementing a DevSecOps approach.
"Increased governance practices will become even more relevant this coming May when GDPR enforces the requirement to design security in from the beginning. For those not yet paying attention to software liability, now is the time," he adds.