Lax IoT device security threatens to pollute the internet

DDoS attacks powered by hijacked IoT devices have the potential to do much more than take down popular websites

Lax IoT device security threatens to pollute the internet

DVRs, IP cameras and other smart products could become the next wave of pollutants that threaten how we live if the security issues around Internet of Things (IoT) devices aren’t addressed.

We’ve already seen that too much IoT pollution can wreck our computing environment. The October DDoS attack that brought down Twitter, Netflix and other major websites for a large portion of the U.S. was launched by a botnet comprised of Web cameras, printers and other IoT devices.

+ Also on Network World: 2017 security predictions +

And while having those sites offline was an inconvenience, the results of that attack weren’t devastating. But future DDoS attacks that throw terabits of data at servers could have more disastrous results. Instead of going after an internet traffic management company, the attackers could target a hospital or a utility provider. Not being able to binge-watch Netflix shows pales in seriousness when compared to cities not having electricity or a doctor being unable to access electronic medical records.

When no one owns security, buggy products flood the market

Solving the IoT pollution problem means realizing that someone must address device security. Vendors, eager to get their product into the hands and homes of consumers as quickly as possible, see security as hurdle that slows their time to market. This is a valid concern. No business wants to lose customers and revenue.

Security, though, doesn’t top people’s list of concerns when buying or using an IoT device. To them, it’s somebody else’s responsibility. They’re more interested in how easy their smart product is to use or the features that come with it. If more people were worried about hackers commandeering their routers, perhaps they’d be more inclined to change the device’s default password or install software patches.

The result of no one owning device security is a market filled products containing flaws that the bad guys can easily exploit. To counter this, common sense policies should be enacted to decrease the opportunities for attackers to hack into connected devices. We’re living in an era when technology holds great potential to make our lives easier and more productive. This is especially true for the Internet of Things. But we risk squandering the amazing opportunities technology presents us if we don’t implement some basic measures to improve embedded system security.

The ability to patch flaws is essential

All IoT devices need to be able to receive software updates. A surprising number of products lack this basic and essential feature. While security problems may not arise during the product’s development or quality assurance phases, vendors need to assume that an issue will eventually emerge. Devices need a mechanism that allows software problems to be addressed with patches. Vulnerable products that can’t be fixed present their owners with two poor choices: either continue to use the devices despite the security risks or throw them out.

Vendors also need to consider the software functions they include in their products. Adding features that aren’t essential to the product’s basic functionality only increases the likelihood for bugs and increases the attack surface. Does a smart blender really need Telnet or FTP, for example?

Force users to change default passwords

Another basic function is a system that forces people to change a device’s default password. We all know that people rarely pick a new password when they set up a device, providing hackers with an easy way to carry out their attack. This system needs to be very user friendly, since getting people to change their passwords is already challenging. A process that’s extremely complicated will only turn people off.

Remember: People, not regulators, use IoT devices

Infosec professionals recently testified before a Congressional subcommittee on the need for the government to regulate IoT devices. Any regulations should maintain network neutrality and take as global a perspective as possible.

The security issues around embedded systems aren’t limited to the U.S. Ultimately, IoT devices end up in the hands of people, a fact that needs to considered when talking about potential regulations. Any laws need to come from the perspective of how a person will actually use a product. Regulations drafted by lawmakers who hold inaccurate views of technology or are looking to play the part of Big Brother will only hurt the nascent IoT movement.

Regulations should stop device pollution but not hinder innovation

We don’t want to burden companies and users with excessive and overreaching laws that stymie innovation and the free flow of information. But we do want to ensure that the next great product doesn’t pollute the air so that no one can breath online.

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline