An infestation of malware is easily spread to partners sharing the same IoT network service.
An infestation of malware is easily spread to partners sharing the same IoT network service.

While acknowledging that the rapid rise of Interet of Things (IoT) devices contribute immeasurably to convenience for consumers in running appliances in their homes, the risk to security and privacy for consumers installing, configuring and administering these devices is unique, according to a new report from the Broadband Internet Technical Advisory Group (BITAG).

The nonprofit, which brings together engineers and technologists "to develop consensus on broadband network management practices," released the report on Tuesday addressing the myriad devices that tether our electronics to the internet to monitor health and home functions – from locks to heating and water systems to tools that maintain inventories and can order items to restock a pantry.

Focusing on home use of consumer-oriented devices, the report explains how these devices engage with software running on networks and often function without human intervention. Gathering up data, the IoT devices can analyze and learn to steer activities and expose data patterns and guide users in their health and financial decisions.

But, the danger comes when discussing security and privacy. Unlike other internet-connected devices, those for use in the home and under the control of an uninformed consumer, run the risk of polluting a shared network and can impact services further down the line, the report stated.

Most particularly, an infestation of malware is easily spread to partners sharing the service infecting others with spam and denial of service attacks. Perhaps even more insidious, these devices could be hijacked by unauthorized users who could then use the platforms for surveillance, gain control and even disrupt physical operations, not to mention harass the device owners.

The report explains that the lack of security and privacy best practices inherent in IoT devices include a:

  • lack of IoT supply chain experience with security and privacy
  • lack of incentives to develop and deploy updates after the initial sale
  • difficulty of secure over-the-network software updates
  • devices with constrained or limited hardware resources (precluding certain basic or “common-sense” security measures)
  • devices with constrained or limited user-interfaces (which if present, may have only minimal functionality), and
  • devices with malware inserted during the manufacturing process. 

Ultimately, the researchers offered mitigation strategies. Topping the list: Changes to device development, distribution and maintenance processes.

For instance, a number of IoT devices ship from factories with outdated software, or with software containing bugs. Without mechanisms to update software, devices could prove vulnerable. Unencrypted communication technologies appropriate for other consumer-driven devices can lead to data leaks on IoT devices. As a variety of IoT devices employ automatic software updates, without encryption and authentication this could be intercepted or even disabled.

Also troubling, many IoT devices communicate using cleartext, rather than an encrypted format. Thus, transmissions could be intercepted and comprehended.

The study details a number of other potential vulnerabilities, but the BITAG Technical Working Group ultimately recommends a number of fixes, including:

  • IoT devices should use best current software practices
  • IoT devices should ship with reasonably current software
  • IoT devices should have a mechanism for automated, secure software updates
  • IoT devices should use strong authentication by default
  • IoT device configurations should be tested and hardened
  • IoT devices should follow security and cryptography best practices.
  • IoT Devices should be restrictive rather than permissive in communicating
  • IoT Devices should continue to function if internet connectivity is disrupted
  • IoT Devices should continue to function if the cloud back-end fails
  • IoT Devices should support addressing and naming best practices
  • IoT devices should ship with a privacy policy that is easy to find and understand

Additionally, BITAG recommended that IoT devices support the most recent version of the Internet Protocol, IPv6, and support the use or validation of DNS Security Extensions (DNSSEC) when domain names are used.

Response from some industry experts, while applauding the efforts of BITAG, express a number of reservations.

"These recommendations by BITAG are comprehensive and insightful, but proposed recommendations that don't have a carrot or a stick to drive incentives or dis-incentivize are pretty ineffective," Rod Schultz, vice president of product at Rubicon Labs, told SC Media on Wednesday. "The BITAG group has a lot to lose by poor IoT security, and must find a way to make what they recommend simple, easy to implement and enforceable."

The challenge, Schultz said, is that the power of the IoT is rapidly being realized and, so far, its velocity is not impacted by security. "It is trivial to connect a device to a network but incredibly difficult to do it securely," he said. 

"A Hammurabi's code for IoT security needs to come with consequences, and unfortunately these recommendations may simply go down in history as aspirational dreams," Schultz said.

Mike Ahmadi, global director, critical systems security at the Synopsys Software Integrity Group, also applauds BITAG's efforts to set guidelines for addressing security in IoT devices, but remains concerned by a complete lack of baseline verification and validation of cybersecurity. "The mere presence of guidelines does not mean practices are followed," he told SC Media on Wednesday. "In industries where safety is a concern, validation and verification standards exist and must be followed, with some requiring certification."

He added that as IoT security issues continue to grow, this can impact consumer safety. He said it is important to consider a program like the UL Cybersecurity Assurance Program as a way to verify and validate that baseline practices are being followed, allowing consumers to make a more informed choice.