The Internet of Things allows us to use a mobile app to adjust our thermostats and watch our pets when we’re at work. Overall, smart devices, while far from perfect, offer us convenience and make our lives easier. Like I’ve said before, we’re living in a golden age of technology that offers incredible benefits.
But major IoT security issues have tarnished our smart devices and risk turning them into pollutants that threaten the Internet’s core. Like we saw last month, when DVRs and Web cameras were used to launch a massive DDoS attack that brought down the Web for a large swath of the U.S., too much IoT pollution can damage our computing environment.
Solving the IoT pollution problem means addressing the huge security flaws in these products. Many of these problems stem from the fact that manufacturers are eager to get their products to market as quickly as possible. This is natural. Who isn't worried about getting features out fast? However, it assumes that someone else is doing security, and that security isn't a top priority. It's not so much that security is seen as unimportant by the vendor or the customer as that it isn't even really seen.
This approach floods the market with buggy devices that attackers can easily exploit. COTS operating systems should have minimal functionality for the mission. They should not, by default, be complete or rich operating systems until our security processes catch up. Does a coffee pot need Telnet or FTP as services, for instance? While we’re just figuring out how to unlock the potential of connected devices, this doesn’t mean we can’t take a few basic steps to improve IoT security.
At a minimum, all IoT devices should have the ability to receive software updates, a feature that an alarming number of products lack. Even if a security problem isn’t immediately evident during a product’s development, manufacturers should assume that an issue will eventually emerge. All products needs a mechanism that allows future software problems to be addressed. People who own vulnerable products that can’t be patched are left with two less-than-ideal options: throw out the device or continue to use it despite the security risks.
To decrease the security risks of IoT products, incentives should be placed around finding bugs. People who discover flaws should be rewarded and praised and their findings should be used to foster a robust security research community. Treating people who discover bugs as security risks and ignoring them or treating them like pariahs won’t improve IoT security.
Another basic requirement is a system that forces users to change a device’s default password. If you even need to have default passwords. It's possible to set up strong authentication services and require registration and binding to identities for devices as they are installed or configured. And the system people use to change their passwords needs to be easier to use. Getting users to change a default password is already challenging. A system that’s overly complicated will further discourage people from taking this action.
Ultimately, people use IoT devices and this needs to be remembered when discussing possible government regulations for smart devices. Consumers are more concerned with if the device will fulfill their needs, not with it’s security. Any regulation needs to come from the perspective of how a person will actually use a device, not from a lawmaker’s inaccurate or uninformed view.
With our kinetic lives increasingly intertwined with our cyber lives, there’s an urgent need to improve IoT security. People haven’t had to worry about Mirai malware commandeering their DVR and using it to crash the Internet. While the fallout from the DDoS attack that targeted DNS service provider Dyn was not life threatening, the next one could have far worse consequences. Attackers could go after infrastructure and take a power plant offline or target a hospital and overwhelm its network. The security community can’t let this happen. We need to incorporate security into IoT devices and stop polluting the Web with easily exploitable products.
There is talk of the U.S. government regulating IoT devices, perhaps with an entity that's akin to the Environmental Protection Agency but for embedded systems. While that is an obvious answer to some, it should be as global in scope and as respectful of Internet neutrality as possible. We don't want to create a big brother for the Internet while choking innovation and the free flow of information and evolution of infrastructure. But we do want to make sure that a killer feature or successful company doesn't pollute the "air" so that no one can breathe online.