Congress tackles IoT security

Nov. 22, 2016
Recent DDoS attacks demonstrate the dangers posed by unsecured devices

In the wake of recent headline grabbing distributed denial of service (DDoS) attacks, the House Energy and Commerce Committee last week held a hearing to examine the role that connected devices have played in these attacks and what can be done to prevent them from being so easily compromised by hackers moving forward. The issue is critical for the security industry on two fronts.

Many of the devices used in the botnet to block access to domain name service (DNS) provider Dyn last month and the website of cybersecurity journalist Brian Krebs in September turned out to be unsecured surveillance cameras and DVRs. And while the dangers of Internet of Things (IoT) devices have been exposed in these recent attacks, they have also helped to lead a technology revolution in the alarm industry, the future of which now seems largely intertwined with that of the smart home.

Cybersecurity experts have warned about the potential dangers posed by the IoT for years, but their calls to build better security into connected products during the design process so far have gone mostly unheeded by manufacturers. Bruce Schneier, a renowned computer security expert and adjunct lecturer at Harvard University’s Kennedy School of Government, told lawmakers during the hearing that he believes a new federal agency may be needed to regulate the IoT despite what may be the incoming administration’s reluctance towards more government oversight.

“I think government is getting involved here regardless. The risks are too great and the stakes are too high,” Schneier says. “Nothing motivates a government into action like security and fear. In 2001, we had another small government, no regulation administration produce a new federal agency 44 days after the terrorist attack. I don’t see the choice as being between government involvement and no government involvement, but between smart government involvement and stupid government involvement. I would rather think about it now, even if you say you don’t want this, because when something happens and the public says, ‘something must be done, what do you mean 1,000 people just died,’ that we have something more than, ‘I don’t know let’s just figure it out fast.’”

Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), who attended last week’s hearing and also submitted a written statement to the committee, thinks that it will take an unprecedented attack of some kind that potentially results in loss of life for people to finally wake up to the dangers presented by compromised devices.

“It may take a catastrophic event because DDoS is just an annoyance right now, it is a benign incident. These catastrophic events could be everything from overheating devices to cause home fires to bringing down the smart grid because we know all of these devices are interconnected,” Spiezle explains. “The DDoS attacks are just one symptom of what could happen, denial of service, but what if it did that to the banking industry? You’re talking about shutting down banks for a week and you couldn’t get paid. We have to think about those things.”   

How to Address the Issue

Spiezle says there are two main issues that need to be addressed in order to make IoT devices more secure. The first includes manufacturers embracing good, basic cybersecurity principles when developing new products and not becoming so consumed with time to market that they sacrifice security for expediency. The second involves providing adequate, ongoing support to products throughout their lifecycle. The OTA even goes so far as to recommend that retailers pull products off the shelf that fail to meet certain minimum security standards.

“We all talk about, as an industry, security by design and that it has to be integrated and not bolted on… but what do we do about all of these devices - millions of devices that are being purchased every week - that are already installed? Should we even continue to sell them? Until we outline some call to action, we would suggest that retailers should do an assessment and they should take products off the shelf that, for example, don’t have a unique password or ship with default passwords,” he says. “Just like we wouldn’t sell a baby crib that could hurt a child or we wouldn’t sell a toy with led paint, we need to take a harder view of that and we’re looking for leadership in that area.”

Having spent some time with House majority leaders and ranking committee members in the weeks prior to the hearing, Spiezle concurs with both cybersecurity experts and lawmakers that “business as usual” is no longer acceptable and that there needs to be systemic changes in the way IoT products are both brought to market and supported. “Up to now, there has been little incentive for businesses to invest in the security of their products and there has been little incentive for consumers to vote with their pocket book for products that may be more expensive or even ask for more secure devices,” he says.

In addition, Spiezle believes that lawmakers understand the security issues surrounding the IoT and that they realize these recent DDoS attacks are a “warning shot across the bow” about the dangers that potentially lie ahead if left unaddressed.

“Does that mean they are going to act and be able to make a difference in what will truly be another era of partisan politics? I doubt it,” Spiezle says. “We had the same conversation almost three years ago after the Target breach – we were going to have federal legislation, set minimum standards – and nothing happened.”

However, Spiezle says there is clear agreement from everyone that cyber criminals are moving away from benign, disruption of service style attacks that largely serve as an inconvenience to people to ones that could seriously jeopardize life safety.

Initiatives in Progress

Some companies have also started to take more of an initiative when it comes to securing their products. The Z-Wave Alliance, the consortium responsible for overseeing the Z-Wave communications protocol that is used by numerous smart home devices, announced last week that it is implementing new security requirements for all Z-Wave certified IoT devices after April 2, 2017.

In a statement, the alliance said that the new Security 2 (S2) framework was developed in conjunction with cybersecurity hacking experts to provide Z-Wave devices with new levels of impenetrability. By securing communication both locally for home-based devices and in the hub or gateway for cloud functions, the alliance said that S2 completely removes the risk of devices being hacked while they are included in the network. Also, by using a QR or pin-code on the device itself, the devices are uniquely authenticated to the network as well.   

"This recent decision to make the S2 framework mandatory on all Z-Wave certified devices stems from a growing need for industry leadership in the smart home space to take the security and privacy of devices in the market seriously," says Mitchell Klein, executive director of the Z-Wave Alliance. "No one can afford to sit on their hands and wait -- consumers deserve IoT devices in their home to have the strongest levels of security possible. IoT smart home technologies that don't act will be left behind."

While these are good first steps, Spiezle says that it is going to take a greater effort on the part of everyone – manufacturers, government, consumers, and retailers – to ensure IoT products are better protected against hackers. Click here to read the OTA’s recommendations for each of these entities as it relates to securing devices currently being sold and used from their statement on the record.  

“What we’ve been trying to do is have an enforceable code of conduct, a voluntary code of conduct that everyone adheres to,” Spiezle says. “What is challenging is now you don’t have this unified approach and I think that’s fragmenting people.  We took the approach of creating a principle-based model that sits independent of whoever’s technology or standard you use that says you have to encrypt this, you have to do these other things.”

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.