Earlier this year an alarming story hit the news: Hackers had taken over the electronic key system at a luxury hotel in Austria, locking guests out of their rooms until the hotel paid a ransom. It was alarming, of course, for the guests and for anyone who ever stays at a hotel. But it came as no surprise to cybersecurity experts, who have been increasingly focused on the many ways in which physical devices connected to the internet, collectively known as IoT (the internet of things), can be hacked and manipulated. (The hotel has since announced that it is returning to using physical keys.)
It doesn’t take a great leap to imagine an IoT hostage scenario, or all of the other ways hackers could wreak havoc with the networked objects we use every day. Smart devices permeate our homes and offices. Smoke detectors, thermostats, sprinklers, and physical access controls can be operated remotely. Virtual assistants, televisions, baby monitors, and children’s toys collect and send data to the cloud. (One of the latest toy breaches, involving CloudPets teddy bears, is now the subject of a congressional inquiry.) Some smart technologies can save lives, such as medical devices that control intravenous drug doses or remotely monitor vital signs.
The problem is that many IoT devices are not designed or maintained with security as a priority. According to a recent study by IBM Security and the Ponemon Institute, 80% of organizations do not routinely test their IoT apps for security vulnerabilities. That makes it a lot easier for criminals to use IoT devices to spy, steal, and even cause physical harm.
Some observers attribute the failure to the IoT gold rush, and are calling for government to step in to regulate smart devices. When it comes to cybersecurity, however, regulation can be well-intentioned but misguided. Security checklists that are drafted by slow-moving government bodies can’t keep up with evolving technology and hacking techniques, and compliance regimes can divert resources and give a false sense of security. Add up all the different federal, state, and international agencies that claim a piece of the regulatory pie, and you get a mishmash of overlapping requirements that can confuse and constrain companies — but leave hackers plenty of room to maneuver.
The Obama administration pushed regulatory proposals for cybersecurity infrastructure in its early years, but eventually pivoted to a more effective risk-management approach. This was embodied by the widely acclaimed National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was developed in collaboration with the industry and provides risk-based guidance and best practices that can be adapted to an organization of any size or profile. Early signs are that the Trump administration plans to continue the NIST approach.
A wise next step would be to build on that success and develop a similar framework for IoT. Rather than trying to dictate specific controls for a diverse, growing set of technologies, the framework could harmonize international best practices for IoT and help companies prioritize the most important security strategies for their organization. This is essentially what the bipartisan Commission on Enhancing National Cybersecurity recommended to the new administration in December. A framework could also serve as a much-needed coordination point for a number of fragmented IoT efforts currently under way in federal agencies.
It would be a mistake, however, for the IoT industry to wait for governments to step in. The problem is urgent, and it will become even more so as new IoT attacks come to light, as they certainly will. IoT providers can demonstrate that they are serious about security by taking some basic steps.
First, security and privacy should be incorporated into design and development. Most security testing of IoT devices occurs in the production phase, when it is too late to make significant changes. Planning and investment up front can go a long way. For example, many IoT devices share default user names and passwords that are well known and can be found with a quick Google search. Because most consumers do not change those settings, products should be designed to ship with unique credentials, or require users to set new credentials upon first use. This would thwart the easiest and most widespread method of compromising IoT devices. Just last fall, hackers used known factory credentials to infect thousands of DVRs and webcams with the Mirai botnet, which was used to cause massive internet outages.
Second, IoT devices should be able to receive software updates for their entire life span. New software vulnerabilities are often discovered after a product is released, making security patching critical to defend against threats. If there are limits to the length of time that updates can reasonably be provided, then the product should be clearly labeled with an “expiration date,” past which security will no longer be maintained.