Story image

Standards, regulation, and accountability are required to avoid IoT Armageddon

02 Nov 16

Potential security concerns regarding the deployment of an ever-increasing number of Internet of Things (IoT) devices are well documented. 

However, such concerns routinely focus on the potential vulnerabilities of individual solutions rather than recognising the implicit dangers in a global system that is only “as strong as its weakest link.

The Dyn DDOS event is a wake-up call

The recent Dyn distributed denial-of-service (DDoS) attack has caused consternation in the technical communities intimately concerned with the “plumbing” of the Internet. 

While the debate as to who, what, and why the attack took place remains the subject of detailed sleuthing, a security paradigm shift has occurred that is going to challenge governments worldwide.

The attack used a large botnet of low-grade, poorly secured Internet devices – it’s possible that your fridge, your neighbor’s router, or my TV was involved. 

As the number of devices connected to the net increases exponentially, there is a significant aggregated risk to overall network integrity from millions of low-cost, poorly-designed, never-patched, unmanaged devices coming online.

Where cost is the prime determinant of low-end, no-brand devices’ security is an afterthought, if it is even thought of at all. Products with no password, default passwords, no encryption, open insecure ports, known vulnerabilities, and an inability to patch flaws even if they are detected abound at the cheap commodity end of IoT. 

While an initial response is often “buyer beware,” unfortunately, in aggregate, these devices have the capability to wreak havoc on the wider population.

Regulation may be a dirty word, but when products have the potential to cause significant harm, society expects government to mandate standards and regulate to ensure they are adopted. 

Motor cars must be built to safety standards, and manufacturers are held responsible when they are not – as Toyota found with its faulty accelerator issues. Samsung’s recall of the Note 7 due to the potential fire hazard is similarly well known. In both cases, well-respected companies recalled their product due to consumer and government pressure.

In the IoT space, the greatest risk is generally not from the well-known products, which tend to be designed with security considered from the outset and are promptly remediated when flaws are detected. The biggest concern is with low-end generic or unbranded devices from smaller manufacturers.

Addressing the challenges posed by these products will require administrations to consider a model like electrical goods or children’s toys, where, regardless of price point, minimum standards must be maintained and local safety regulations complied with. 

Furthermore, manufacturers and their local distributors are held liable for loss or damage resulting from substandard design.

Identifying what those minimum standards should be will be challenging, not least to ensure that the system isn’t gamed by vested interests to reduce competition, but the Dyn event highlights the frightening potential from continuing with an “anything goes” approach to network device connectivity.

Just as the new-model virtual businesses, such as Uber and Airbnb, are requiring governments to rapidly develop new-model regulations, pervasive IoT will necessitate legislators walking a fine line that protects the “Internet commons,” without stifling technical innovation.

Article by Al Blake, Ovum analyst

What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.