IoT security legislation needed

Suppliers of internet connected devices are largely failing to improve the security of their products, exposing users to privacy risks, so there is no choice but to legislate in this area, says a researcher

 Suppliers of internet connected devices are largely failing to improve the security of their products, exposing users to privacy risks, so there is no choice but to legislate in this area, says a researcher

 

Most suppliers notified of security and privacy issues in their smart products are “intransigent” and make no effort at all, according to security researcher Ken Munro, senior partner at Pen Test Partners, which specialises in the security of internet of things (IoT) devices.

Munro has  spent the past five years fighting manufacturers of smart products and trying to influence behaviour and make products more secure, but, by and large, he says himself, that he has failed, because the security of smart devices is actually getting worse.

Munro and his colleagues have exposed the security vulnerabilities in a range of IoT devices, including Samsung smart TVs, door locks on Mitsubishi Outlander vehicles, the Cayla interactive doll, the iKettle and the Swann home security camera.

While some of the larger brands, such as Ring, now owned by Amazon, and BB-8 toy makers Sphero, licensed by Disney, have been good about responding to security vulnerability reports, Munro said most suppliers are startups or bigger brands buying in third-party products.

These organisations typically do not have the resources, and it has never been on their radar to do security – that’s why Munro thinks they need to have some big sticks to ensure manufacturers put in some very basic security.

When security vulnerabilities are discovered, Pen Test Partners follows a policy of responsible disclosure to the manufacturers to give them an opportunity to fix it before going public with the findings.

IoT suppliers deliberatly ignore warnings

Munro’s experience with almost every single IoT supplier they have ever disclosed to – and they have done two to three disclosures per week for the past four years – is that they simply ignore him, nothing happens and they carry on selling their product, profiting out of making people vulnerable.

IoT widely used in business context

While IoT is generally thought of in terms of consumer products, he pointed out that some IoT systems are widely used in the business context such as building management systems that control the heating, cooling, door locks and fire alarms.

It is important that businesses think about the IoT devices they have in their environments. The gap between IT and services often creates opportunities for technology to cause problems, and so there are some key questions businesses need to ask suppliers, retailers, hardware manufacturers so you know whether you are buying a good product or one full of security vulnerabilities.

Munro said he was able to buy a controller of a business management system online and was able to find vulnerabilities that could be exploited to discover the password of the embedded server that would enable an attacker to take complete control of the building management system.

According to Shodan, the search engine for embedded devices on the internet, hundreds of these controllers have been put into organisations by third-party installers and put straight on the internet for remote access and control, which means an attacker could do things like unlock doors and set off fire alarms to force an evacuation of a building.

Munro even discovered that some of the devices had been infected with cryto-mining malware to generate cryptocurrencies for cyber criminals.

In recent days, he said Pen Test Partners have been working on third-party car alarms. They believe that over five millions cars can be located, unlocked and the engine started and driven away, so in general, IoT security is a train wreck.

The UK has so far stopped short of regulation, electing instead to publish a Secure by Design voluntary Code of Practice (CoP) in October 2018 that was developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).

While the final version of the CoP is largely unchanged from the draft version, it has been revised to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned Data Protection Act to facilitate regulatory implementation in future.

Initial IoT draft did not address refusal to follow guidelines

The CoP is a great start, but there is still more to be done, he would like to see fresh primary legislation in the IoT arena in the UK, but this will take time. It would also be reasonable to let the CoP guidance ‘bed in’ with manufacturers. If they don’t start to change behaviour, that would be the time for regulation.

Munro believes giving consumers the right to return vulnerable smart products for credit will create financial incentives for manufacturers to improve security, as will retailers committing to not stocking vulnerable smart tech, backed up by trading standards legislation. He would also like to see manufacturers delivering product security updates for the foreseeable life of the product.

Munro thinks demonstrating security in a product will actually drive sales because if someone can buy a smart thermostat and know it is secure, that will increase sales in the market.

The proposed European Cybersecurity Act, however, covers only corporate and medical devices, including critical national infrastructure, but is currently voluntary for consumer devices, he said.

Munro finds it to be a  real shame, because consumer devices are as much of threat because they have shown how attackers could aggregate smart thermostats and take the electricity grid. He thinks they have to bring in regulation – they have no choice. It is simple, and they could learn so much from that, it would enable them to say this is what they want, and then they can start to build up the next layer of accreditations and the next layer of regulation – but they should do the basics first.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139