If the prospect of cheap and insecure devices wreaking havoc on the Internet of Things isn't alarming by itself, maybe the thought of liability lawyers coming after negligent manufacturers will focus some minds.
Participants on a recent Mobile World Congress panel, "Enabling IoT Security," wondered aloud about who might be found at fault if an insecure consumer webcam attacks a server or a coffee maker makes an autonomous car crash.
Part of the IoT security problem is that makers of newly connected devices simply don't think about security, explained Nikos Isaris, deputy head of unit, Internet of Things, for the European Commission (EC). A washing machine manufacturer must think about security because the connected intelligence inside the product could be both vulnerable and persistent, as major appliances are replaced and upgraded far less frequently than devices such as cell phones, he added.
One solution would call for the involvement of industry and governments. The EC would get involved "in the event of a market failure," where industry was unable or unwilling to resolve an urgent problem. Isaris implied that a lack of action on security by device makers might be considered a market failure.
For all the talk about liability and security, there was a distinct lack of solutions offered. There were no lawyers on the panel, so discussions of liability were nonspecific, and no explicit remedies for security holes were suggested beyond the recommendation that security needs to be somehow built in.
Who's to blame?
For that matter, who is responsible if a small appliance in your home participates in a distributed denial-of-service (DDoS) attack? Vince Steckler, CEO of security company Avast, demonstrated that babycams, coffee makers and even electric kettles can be taken over and controlled with the Linux telnet utility. Because time allocated for the demo was limited, it was difficult to tell how much of it was canned, but gaining telnet access to the devices appeared to be alarmingly trivial.
"An overwhelming number of attacks have been on home devices, co-opted to send more attacks," said Steckler. "In 10 years we're probably not going to be able to live without the IoT. We're going to have a huge explosion of security threats."
To underline his point, Steckler said there are databases available that indicate there are 132 connected refrigerators in Barcelona, and 3.3 million devices in Spain that connect to the Internet—450,000 of them with telnet access. Unsecured telnet connections are how the Mirai botnet, which crippled DNS service in September 2016, gained control of household devices to flood servers with packets in a DDoS attack.
As home appliances get more sophisticated features, Steckler warned, refrigerators with e-commerce may be able to make unauthorized purchases. "Virtually no device on a home IoT has any security on them," he said.
The panel did not address the question of how consumers can tell if their devices are vulnerable—let alone what steps they should take. The implication was that vulnerabilities should be designed out of devices from the start.
The EC this year is working on a set of security recommendations that would affect all members of the European Union. Some possible results include "a possible framework for security certification and a commercially oriented lightweight labeling scheme," said Isaris. He pointed to a series of September 2016 EC white papers, "Digitising European Industry," one of which calls for open standards but says further investigation may also be needed. (Note: This information appears in Section 2.6 of the document, under "Safety and reliability.")
And the problem is getting worse. Jason Porter, vice president of security solutions at AT&T, said his company's network operations center data showed a 458 percent increase in IoT vulnerability scans over the past three years, indicating that more people than ever are trying to break into unsecured devices.
Security, however, has costs, which may be problematic in an industry that has been rigidly fixed on driving costs downward.
"We're all trying to put new devices out there because we want to drive revenue," said Rami Avidan, managing director of IoT at Tele2 Group. "Because we're eager, we are not looking at security, because it's seen as a blocker. We need to turn that around. We need interoperability and to ensure that only devices that have passed certification are allowed on the network."
Other panelists agreed. "There's going to be a lot of stress on chip makers to make products that [are secure]," said Shawn Welsh, senior vice president, product line management and marketing, at Telular. "It's going to start right at the metal."
That requires collaboration among competitors. "Archrivals have to come together or nothing is going to happen. There'll be no market share at all if we don't get together," said Ian Ferguson, vice president of worldwide marketing and strategic alliances at ARM, a chip technology company.
"There's a lot of motivation through [fear of] litigation," said Welsh. "The industry will be well served by trying to protect themselves and see that there are some guardrails in place."
IoT's success depends on how well vendors work together. "Fixing things shouldn't be the focus," said Avidan. "The focus should be stopping them at the start. We believe that IoT is going to be very important to the world going forward. We don't have much choice. We have to solve this."
IoT security: Lessons for leaders
- IoT vulnerability scans are on the rise. One expert quoted in this article has seen a 458 percent increase over the past three years.
- Device manufacturers are partly to blame for the risk exposure—security takes a back seat to how quickly a product hits the market.
- A mandatory industrywide device labeling could be part of the solution.