Ten years ago you didn’t have to worry about someone hacking your refrigerator. Today, your personal home assistant is quite literally listening to your every move. Experts believe that in just a few years, there will be over 20 billion devices connected to the internet with the possibility of being compromised by an attacker due to the lack of security built into these devices.
It comes as no surprise that, as IoT devices proliferate, attackers are increasingly looking to exploit them. Large-scale events (like last October’s DDoS attack targeting systems operated by Dyn) and warnings from security experts finally have government officials paying attention.
Think of it this way. A government employee connects a smart coffee machine into the same WiFi network that his or her computer is connected to (though manufacturers of smart coffee machines often instruct that these devices should be connected to their own isolated WiFi network so that in case this particular network is breached, it will not harm any other devices). Shortly after, an attacker targets the network. The coffee machine does not have anti-virus software installed, or any type of security for that matter, so it becomes infected. Soon, the entire network will be compromised.
So, a coffee pot can infect the West Wing’s network with ransomware?
It’s not likely, but it’s certainly possible.
Days ago, the federal government introduced the Internet of Things Cybersecurity Improvement Act, an initiative designed to set security standards for the government’s purchase of IoT devices.
The government doesn’t often involve itself in manufacturing decisions so that they steer clear of stifling innovation. However, IoT security is now a matter of national security. Senators Mark Warner (D-Va.) and Cory Gardner (R-Colo.) are spearheading the effort to require companies that sell wearables, security cameras, sensors and other web-connected tools to federal agencies to adhere to stricter security regulations.
And while it is good news that IoT-device security issues are getting more attention, the proposed bill would only impose security regulations on devices sold to federal agencies, not to devices sold to consumers.
A lot of questions
This raises a lot of questions concerning consumer IoT-device security in the United States. How will independent consumers benefit from the security features and enhancements that would be required of products being sold to the federal government? Will all vendors of IoT products be held to the same standards, even if the products are not purchased by the federal government? Can vendors pick and choose what models are sold to the government and to consumers? Will there be a standard requirement for all goods and technology sold in the United States, especially for those devices in which personal data is collected?
This bill should challenge consumers and vendors alike. We are aware of the true danger IoT devices can create beyond the computer; they can control systems in the real world. Too often, security is an afterthought instead of a partner in decision-making and building of products we have grown to enjoy as consumers; since the adoption of IoT devices is on the rise, manufactures are competing to stay ahead. This means creating cheap products quick – which means overlooking security measures.
As a result, consumers sacrifice their security and privacy for the convenience and enjoyment of a product and service. Instead, we should challenge ourselves and ask if the convenience is worth the risk and compromise. We should demand that creators and innovators of IoT devices should consider security a top priority.
White hats can pass
Another interesting part of this proposed bill is the cover it provides to researchers. If passed, the bill will “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.”
This means security researchers would be given more freedom in “good-faith” to explore IoT devices for vulnerabilities through white hat hacking and other means. As a result, more researchers will be able to ethically disclose more discovered compromises and security concerns.
Right now, we have to ask ourselves whether this bill is a long-term plan and strategy to keep security requirements and validation in sync with rapidly growing technology, or a problem that we will have to keep monitoring and fixing. Answers to these questions will come with time, and unfortunately, trial and error.
The author is the Chief Information Security Officer at SecureAuth. With 15+ years of leadership experience implementing Vendor Security Risk and Assessment Programs for startups and Fortune 500 companies, she defines the security road map for SecureAuth’s suite of adaptive authentication and IS solutions. She is recognized as a subject matter in Governance, Risk and Compliance (GRC) frameworks.