By Cameron Camp
I just returned from CES, where virtually every aisle was chock-full of IoT
devices. But how secure are they? While we’ve been promoting security on these devices for some time now, IoT developers have been slow
to adopt. Lawmakers in California took some
notice in 2018, and now it seems
that legislators in the United Kingdom want to take things to the next level,
too.
“Whilst the UK Government
has previously encouraged industry to adopt a voluntary approach, it is now
clear that decisive action is needed to ensure that strong cyber security is
built into these products by design. Citizens’ privacy and safety must not be
put at risk because some manufacturers will not take responsibility for
ensuring that security is built into their products before they reach UK
consumers.”
Whether or not the legislation is enacted, this
sends a strong signal to the industry that government intervention seems
likely. While other countries may take a wait-and-see approach, it seems likely
further laws will be enacted around the globe over time.
The good news is that basic IoT security steps are not overly burdensome. Requiring the new owner
to change the default login password when users log in for the first time is
something the industry has known about for some time, and is not costly to
implement.
Setting a lifespan for firmware updates certainly
does cost more since companies would be paying to support firmware that would
no longer directly result in revenue. Companies with longer term vision tend to
already be thinking along those lines, but forcing them to state when support
will end brings it to the fore.
It’s unclear whether customers understand the
importance of knowing the support lifespan until it lapses years later and
vulnerabilities are then discovered.
The industry counters obtusely by promoting
frequent customer upgrades in light of new technological advances to their
platforms, but it doesn’t always happen. Everyone knows someone with a 5- or
10-year-old home router, for which support has long since lapsed while the
device itself is still actively in use.
And that’s the problem.
We see newly minted attacks against herds of common
routers that show no signs of being retired anytime soon. These machines, once
zombified, can be used to launch and amplify attacks worldwide, often without
the knowledge of their owners.
One more thing: the UK lawmakers seek to compel
companies to maintain a security point-of-contact, something that’s
all-but-impossible to find today, especially in smaller companies.
Will this legislation slow innovation? Somewhat,
but hopefully the proposed changes would only require moderate efforts from
good actors to implement. And whether or not this draft of proposed legislation
becomes law, some soon will, so manufacturers would do well to take note.