Image source: MIT Technology Review
The growing number of poorly secured IoT devices signifies a serious risk to life and property that government can’t afford to neglect, declared some of the nation’s top security experts at a recent meeting with Congress.
October’s crippling distributed denial of service attack that knocked out internet infrastructure provider Dyn and prevented much of the web from being accessible was “benign,” said Bruce Schneier , cybersecurity expert and Harvard lecturer, at a hearing held by the House of Energy and Commerce Committee.
Why? Because no one died. The attack, which relied on a botnet assembled from hacked webcams, camcorders, baby monitors, and other devices, proved more mischievous than dangerous.
But Schneier and other experts warn that it’s only a matter of time before something much more catastrophic occurs; the same security holes that enabled October’s attack to exist in many of the IoT electronics are making their way into hospitals, elevator control systems, and ventilation systems.
Without any incentive to prioritize security, manufacturers are treating it as an after-thought. Even if an informed consumer wanted to assess the relative security of an internet-connected device, there are no established ratings or other measures of comparison. At this point, experts agrees that there’s no debating the benefit of government regulation, but how that implement comes to pass remains hotly debated.
We’re looking at a massive and growing risk, said Kevin Fu, computer science and engineering professor at the University of Michigan. The situation presents a two-sided issue. First, internet-connected devices are making their way into “sensitive places like hospitals,” where disruption has life-threatening consequences. Second, the increasing volume of vulnerable devices on the market make it easier for hackers to assemble larger botnets. And the larger the botnet, the more likely to know a server offline.
Fu believes that without a “significant change in cyber hygiene,” the internet remains too volatile to support critical systems safely. Fu, who also testified before the committee, recommends that the government establish a separate entity for testing the security of IoT devices, similar to how the National Highway Traffic Safety Administration performs its premarket automotive crash testing.
With the imminent change in administration coming, it’s unclear whether IoT vulnerability will receive the priority it deserves. In the meantime, the Department of Homeland Security released a set of “strategic principles for security of the Internet of Things,” which you can read here . It also suggested that government can sue manufacturers for failing to “build in security during design.”
Similarly, the National Institute of Standards and Technology published voluntary guidelines for designing “more defensible and survivable” connected systems.
Source: Technologyreview.com
Learn more about Electronic Products Magazine