Regulation for Internet of Things (IoT) devices is finally arriving, years after many cyber security experts including F‑Secure’s Mikko Hypponen called for action by governments around the world.
But to fix the “security nightmare” known as the IoT, everyone involved with getting consumers connected online must push hard for redefining the gold security and privacy standard for all internet-connected devices.
Proposed legislation would make the United Kingdom the first country to pass legislation that would require manufacturers to secure IoT devices. This would make the UK a “global leader in online safety,” according to Digital Minister Margot James.
However, the kingdom is trailing California, which passed similar legislation in late 2018 that will go into effect in January of 2020. That law calls for “reasonable” security features in any devices that connect to the internet “directly or indirectly.”
As similar legislation seems to have stalled in the United States Congress, Oregon’s legislature is moving forward with a bill that echoes California’s demand for “reasonable” IoT security.
But the fact that governments have to demand the implementation of basic security precautions at this late date, when the number of internet-connected devices nearing double the world’s population, shows how bad the situation is and the work that is still left to be done by governments, manufacturers, and internet service providers.
“Whenever an appliance is described as ‘smart’, it’s vulnerable,” Mikko tweeted in December of 2016.
He then expanded on the implications of “Hypponen’s Law” in “The Internet of (Vulnerable) Things: On Hypponen’s Law, Security Engineering, and IoT Legislation,” a paper he co-authored with Linus Nyman of the Hanken School of Economics in April of 2017. The article includes recommendations for manufacturers of so-called IoT devices while suggesting that legislation could be “the only reliable means of securing the Internet and its connected devices.”
While acknowledging the limitations of government regulations, Mikko and Linus argued such steps may be necessary to reduce the rush that has led to insecure devices ending up in millions of homes by forcing “all manufacturers to invest in security engineering, thereby leveling the playing field.”
In January of 2018, “Pinning Down the IoT”—a Cyber Security Research Institute report sponsored by F‑Secure—described the tragic state of IoT security by stating bluntly, “In its current form the Internet of Things (IoT) represents a considerable threat to consumers, due to inadequate regulations regarding its security and use.”
Later that same year, both Interpol and the FBI echoed this concerns, warning consumers that the time had come to secure their IoT devices in the same way they secure their laptops and mobile phones.
To get a sense of how abysmal security for Internet-connected devices can be, note that both the California law and the proposed UK legislation include a specific requirement banning “default” passwords.
As noted in a recent F‑Secure IoT Threat Landscape Report, a large number of IoT threats rely on default and weak passwords for infection. This includes variants of Mirai botnet, which was responsible for one of the biggest denial of service attacks in history.
This is a necessary step. As many as one third of IoT attacks abuse weak passwords, F‑Secure’s Tom Gaffney noted.
The use of terrible passwords is not unique to IoT devices, of course. A recent study found that “123456” is still the world’s most common password—but the multitudes of connected web cams, routers and other IoT devices are often easily accessible to these threats through systematic probing through often exposed Telnet ports. And consumers often don’t have the ability to easily change the password, even if they want to because of poor device design.
Securing passwords is just the beginning of IoT security. Advanced threats have focused more on vulnerabilities that are inevitable in the development of any hardware or software. This requires sharp regulation.
Cyber security expert Bruce Schneier noted the vagueness of California’s law points to the danger of vague regulations guiding manufacturers who have proven willing to produce devices with inadequate security.
“The not-so-good news is that ‘reasonable security’ remains defined such that companies trying to avoid compliance can argue that the law is unenforceable,” he wrote.
Again, consumers may be left to the whim of manufacturers placing profit over protection. And consumers aren’t the only ones who suffer.
Unfortunately, internet service providers are likely to bear much of the troubles that come from devices that malfunction or function poorly due to IoT attacks.
But this challenge is also an opportunity.
Consumers already trust their internet service providers. This puts these companies in a prime spot to lead the way in this market and offer something truly valuable: secure, private connectivity for all, everywhere.
Brian Ragsdale—Director, Consumer Product Management at Windstream, a broadband provider that serves over 1 million American families in 18 states—noted that Windstream is called on to deal with any problem that slows down the Wi-Fi connection in the home.
“Some factors we just can’t control. A Wi-Fi router on top of a microwave, for instance,” he said. “Or old devices.”
But they can control security, so choosing the right security and privacy partner makes all the difference.
For F‑Secure, protecting data isn’t just about securing consumers’ own devices and network. It’s about the consumers’ trust and responsibilities to make consumers’ lives safer and easier.
Windstream is working with F‑Secure and Actiontec to deliver complete security for all devices complete with parental controls through a secure router and a single app provided to customers.
“Customers want to have a simple, easy experience,” he said.
Families have figured out how to add more and more devices to their home Wi-Fi networks. And unless security is as easy for them to deploy, they will be stuck with the inadequate protections that have left as many as 9 of 10 home routers vulnerable.
In 2017, Mikko and Linus advised all IoT manufacturers to think of themselves as “a software company.” That advice was clearly not heeded and we are all paying the costs. And the stakes continue to rise
“By 2025, many people will have (knowingly or not) around 5,000 digital interactions per day,” Oliver Wyman noted.
Governments are finally stepping up their demands on manufacturers. This may be too little too late.
But there’s still a huge opportunity for those willing to offer the gold security and privacy standard for IoT security that extends to every device both in and out of the home to be the winners of the race for consumer trust.
This is the opportunity: Service providers and other ecosystem players can partner with established security experts that prioritize consumer privacy. Together they can deliver a reliable, user-centric, personalized service and experience for consumers at home and on-the-go.
That’s not just the “reasonable” security consumers are due, but the exceptional security and privacy families will see as an investment in their future.