A lot has been written during the past couple of months about the dangers of Internet of Things-connected consumer devices, which is good, since it’s difficult to overestimate the dangers that the situation poses.
Those dangers have reached their potential already with a series of distributed denial of service (DDoS) attacks caused by the Marai botnet. There is a race against time element to the effort to secure the fitbits, home automation systems, surveillance cameras and assorted other knick-knacks. At this point, the total number of connected devices, while great in aggregate, is still small in proportion.
It is axiomatic in technical realms that an element baked into a product or platform from the beginning is far more effective than bolting it on later. This is nowhere truer than in the IoT, where millions of devices are deployed annually. Security simply must be built in from the earlier stages of development.
ZScaler, a company that leverages the cloud to enhance security, today posted a security assessment of several consumer IoT products. The firm found that many of the most common devices use plain text HTTP protocols, making them vulnerable to sniffing and man-in-the-middle attacks.
The post reviewed 15 common devices. Five were found to have no security concerns, at least in Zscaler’s eyes. The most common concern of the other 10 involved the use of inadequately secured HTTP-based communications. The question that is not answered is whether this is an easy and inexpensive element to fix or whether the solutions are more complex and costly. The piece ends with a suggestion to vendors and four to users and enterprises.
The problem is potentially so dire that regulatory remedies are being considered, according to The IEEE Spectrum. The point, in the eyes of proponents, is that industry working on its own doesn’t have the motivation to fully address the challenge. On the other hand, skeptics wonder if the government can move quickly enough to effectively push back against fast-moving crackers (malevolent hackers). There is also a great question about what such rules would look like.
Well-known security researcher Bruce Schneier offered some high-level ideas, though he concluded that the question was very much open:
When asked what effective U.S. IoT security regulation, Schneier shared a few ideas: minimum security standards, interoperability standards, the ability to issue a software update or patch after a product has hit the market, and even placing code in escrow so that problems can still be managed in case a company goes out of business.
The end game might indeed involve regulation and legal remedies. Senator Mark Warner (D-VA) is on the case. Late last month, Dark Reading reported that Warner, who is on the Senate Select Committee on Intelligence and is a co-founder of the Senate Cybersecurity Caucus, sent letters to the Federal Communications Commission (FCC), Federal Trade Commission (FTC), and Department of Homeland Security's National Cybersecurity & Communications Integration Center (NCCIC) on the topic. It is unclear, however, if and how the election of Donald Trump will affect the momentum toward solutions from outside the business sector.
Mirai and whatever comes next – and something certainly will – pose extreme dangers. Business, the government, or a combination of the two must do something quickly.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.