Watching IoT manufacturers and regulators repeat history (Reader Forum)
“Those who know history are doomed to watch others repeat it.” This bitter observation is something we see frequently when it comes to upholding the security, privacy, and safety regulations governing Internet of Things (IoT) devices. Sometimes it seems like we are doomed to relearn the same lessons over again. We need to avoid the mistakes of the past if we are to build trust and confidence with consumers and create devices which have a positive impact on their lives.
Cyber security lessons
Since at least the 1970s, cyber security has been an area in which we’re constantly improving. As each new technology is introduced, we alternate between extremes of re-imagining new and more secure architectures – such as Apple’s iOS operating system – and forgetting all the lessons of the past. Many new IoT devices that are introduced today fall in the latter.
We’ve seen this, for example, with the Mirai worm in 2016. Mirai created one of the biggest botnets in history which took down many large internet services, severely impacted multiple European telecom operators and even took the whole country of Liberia offline. That botnet was mostly comprised of internet connected security cameras and home routers, which were infected due to the poor security practices of the manufacturers of those devices.
We’ve also seen how communication protocols are being attacked to hack IoT devices. In the first half of 2019, F-Secure saw a jump in attack traffic to its global network of honeypots, from millions of hits to 2.9 billion, this trend continued into the second half of the year – and on in to the first half of 2020 – with 2.8 billion hits. The great majority of that increase in attack traffic to the honeypot network has come from two sources.
One of the sources of attack used the SAMBA protocol (SMB port 445) thanks to the proliferation of the NSA’s cyber weapon of mass destruction, EternalBlue. SMB is a 1983 network connectivity protocol for enterprise file sharing, today it’s mostly used by old Microsoft systems.
The larger of the two sources has been attacks against Telnet, a 1969 protocol for remote network administration of servers. Since the 1990s, Telnet has been replaced in all servers by a more secure protocol, SSH, or remote access has been disabled where it is not needed, removing this attack surface altogether.
Enter cheap IoT devices, often built on top of old, out-of-support Linux distributions, which manufacturers use as-is without attempting even basic hardening steps like removing unused services and protocols. This has resulted in too many new IoT devices having Telnet port 23 open to the internet, with either no password or a very weak default password. Thanks to Telnet, poor password hygiene, a lack of basic hardening actions, and lack of security patching or ways to automatically apply those patches by IoT manufacturers, we now have multiple families of Mirai-based malware. There are dozens of different botnets at the scale of 2016’s, all competing to infect more and more devices.
These botnets are costly for network operators which have to handle their Distributed Denial of Service (DDoS) spam traffic. Ultimately, this reduces the available bandwidth for end users and makes them think their network provider isn’t delivering reliable internet and Wi-Fi services. It can even reduce the longevity of the users’ devices thanks to resource intensive malware like crypto-miners, which use the CPU and other hardware resources of the device more-or-less constantly. As a result of this strain, the hardware will degrade faster than expected and will reach its end-of-life sooner.
Privacy is another casualty of our race to deliver IoT devices at scale which, if left unchecked, could undermine an individual’s basic rights governing consent around how, and with whom, their data is shared.
This is despite the fact that we have regulations in place designed to uphold our rights, including Europe’s GDPR and new laws in some US states banning the use of facial recognition. The EU recently voted to pass the Digital Services Act, limiting how customer data can be used in targeting advertising. The UK Government has also published proposed laws to increase the security of smart devices.
While some companies are learning the lesson that most data collection is a toxic liability, many continue to embed tracking and targeted advertising into every possible service, including IoT devices. This has direct security implications – when users do not trust you because of the unwanted surveillance you added without asking, they are suspicious of and reluctant to install your security updates.
Safety regulation lessons
The importance of codifying and enforcing strong safety for consumer goods and services is something that has had to be relearnt over the years.
Consumer devices come with a CE marking to certify they meet basic safety standards. Behind those standards are laws, regulations, and government agencies with powers to inspect, fine, and even criminally prosecute manufacturers whose negligence endangers the public. This is why we don’t need to test our new curtains to see if they will set our home on fire, and why we don’t need to test new toys to make sure they don’t poison our children.
We have forgotten all of these lessons for IoT.
Today, each IoT owner must verify each new device carefully and try to disable unneeded services, apply patches, and update passwords if possible. They must try to set up home network protections for themselves to mitigate the dangers. This situation is obviously good for cyber security vendors as it is possible to help service providers add security and privacy SDKs into home routers with simple management apps, designed to help non-technical consumers protect and understand their devices. It is also good business for service providers who can use these additional security and privacy services to help drive value via ARPU uplift, NPS improvement, and churn reductions.
Even so, maybe we should learn our lessons from history? It is time for the IoT industry and government regulators to apply the security, privacy, and safety regulation lessons that we all suffered so much to learn in the first place.