Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

03:34 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now

IoT Regulation Could Save the Internet

Momentum may be building for meaningful (and useful) security regulations for the IoT.

"The Internet of Things leads also to the Internet of Threats because, obviously, every device that has [connectivity to] the Internet built into it becomes subject to hacking; that's just the bottom line," said US Senator Edward Markey (D-Mass.) in a Senate Subcommittee hearing last year. "If you don't deal with the threats, then all you are doing is ignoring the inevitable problems that are going to be created."

Markey is known for having IoT regulation as a pet issue -- particularly when it comes to automobile connectivity (he has dubbed modern cars "computers on wheels"). Four years ago, Markey and fellow US Senator Richard Blumenthal (D-Conn.) pressed automaker executives on the issue of cybersecurity in their vehicles. Since then, Markey has grown fond of saying, "Thieves no longer need a crowbar to break into your car; they just need an iPhone."

Markey isn't far off the mark. Hackers have
time and again demonstrated proofs of concept that cars can be hacked -- while being driven -- such that they can be completely controlled and cause massive damage to the car, to people in the car, and to others.

Other forms of IoT bear their own hackable forms of lurking danger, too. While cybersecurity pundits and government entities alike have voiced fears of the Internet of Things becoming an Internet of Murderables (See: A Killer App), the more realistic and common problems of IoT security are far more mundane yet still highly destructive -- such botnets spreading ransomware and perpetrating DDoS attacks. (See: How Secure Are Your IoT Devices?)

Indeed, Markey and other politicians have stretched their IoT interests beyond basic motor-vehicle and medical-device safety. At the start of 2015, the Federal Trade Commission ("FTC") released a report on IoT data-protection issues based on a series of workshops the Commission had held in 2013. In it, the FTC -- already all powerful over nearly all things consumer protection in the United States -- argued that it needed more "technology-neutral" legislation to act to regulate IoT data privacy. For all the good the FTC's technology-neutral power has done to protect consumer data privacy, consider the current case of Uber and its data-breach cover up -- which happened while the FTC was already looking over its shoulder subject to a 20-year consent order.

This is perhaps a key point in the cybersecurity regulation debate. Without question, Uber has earned its reputation as a data-protection bad guy. Some technologists feel that IoT cybersecurity laws and regulations will do more harm than good -- flogging the peasants instead of punishing the princes.

"This is an area of intense debate," Chris Richter, senior vice president of Global Managed Security Services at CenturyLink, told Security Now. "There is one school of thought that the federal government and foreign governments need to set IoT security standards and just make a policy -- and the other half says, 'No, you get government meddling in it and it will just increase cost, it will slow down commerce, and they'll do a poor job of implementing security controls for IoT.' "

On the pro-regulatory side, CTO of IBM Resilient and Cybersecurity Expert Bruce Schneier has proposed creating a new regulatory agency specifically governing the Internet and connected devices -- similar to how the Federal Aviation Administration ("FAA") regulates aircraft and airspace - because the "freewheeling" and "integrated" nature of our new IoT world can be ambiguous when it comes to government oversight and jurisdiction.

"Our world-size robot needs to be viewed as a single entity with millions of components interacting with each other. Any solutions here need to be holistic," argues Schneier. "They need to work everywhere, for everything. Whether we're talking about cars, drones, or phones, they're all computers."

Richter, for his part, falls in the opposite camp when it comes to IoT regulation -- believing that industry can and should solve this problem itself, creating a sort of Good Housekeeping seal of approval for IoT cybersecurity. To this end, Richter argues that IoT cybersecurity can be sold as a feature -- even to consumers.

"I think most people would pay a little bit more for a refrigerator that [they] knew wasn't hacking [their] home network," says Richter. "I'm not a consumer marketing expert, but… I would certainly pay more for that kind of assurance."

From there, Richter argues, the customer's imagination may run wilder than the actual likelihood of damage.

"Most consumers don't really understand how security works, but they're thinking, 'Hey, if I don't buy the refrigerator that has the security seal of approval… is a hacker going to get into my [refrigerator] and then into my bank accounts?' " said Richter. "That's the leap that a lot of consumers will make -- [that] it's going to get into everything."

Proponents of IoT security regulation, however, argue that the free market fails on this issue from a strategic-modeling standpoint -- even setting aside the extreme dystopian fantasies of zombie cars and sabotaged pacemakers.

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features," argues Schneier. "There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Richter disagrees, stating that IoT devices' fundamental functionalities can indeed be hampered by even botnet malware. A "smart" appliance "disrupted" too badly by malware may stop functioning, claims Richter -- much the same way that an infected computer may slow down to the point of being nearly non-functional.

Moreover, hacked access to but one connected device on a network can lead to hacked access to other devices on a network. Thus, an entire "smart home" may become hacked into via a single device's vulnerability.

Meanwhile, on Capitol Hill, Markey has proposed a bit of baby-splitting. He and Congressional Representative Ted Lieu (D-Calif.-33) recently introduced bicameral legislation to create a "voluntary cybersecurity certification program" for all connected instruments sold in the US -- computers, phones, and IoT devices. Dubbed "the Cyber Shield Act," the bill is something of a half-measure compromise between IoT regulationists and IoT free-marketers. If passed, the bill would direct the Secretary of Commerce to create a "Cyber Shield Advisory Committee" -- comprised of members from both the private and the public sector -- to advise on cybersecurity issues and best practices for IoT and other connected devices.

To this end, Markey and Lieu's bill is to strengthening IoT security what the Digital Security Commission Act -- introduced nearly two years ago by Senator Mark Warner (D-Va.) and Rep. Mike McCaul (R-Tex.-10) -- was to weakening private-sector encryption. Some cybersecurity and privacy advocates opposed the McCaul-Warner bill, criticizing it as little more than a way to exert pressure on the InfoSec community into doing the government's anti-encryption bidding -- coming in the disguise of a collaborative compromise. (The McCaul-Warner bill apparently died in subcommittee about a month after it was introduced.)

The Markey-Lieu bill, however, shows signs of potentially being less about government coercion and more about actual voluntary standards setting. The legislation's key feature is that the Cyber Shield Advisory Committee would also offer a "Cyber Shield" seal -- similar to the kind of seal Richter favors -- for device makers and sellers to put on devices that meet the Committee's standards.

It remains to be seen how much support the bill gains -- let alone how effective it could actually be. It remains entirely possible, regardless of how things turn out with Markey's legislation, that the federal government's direct involvement is inevitable.

"[IoT has] lot of different security requirements, and the effects of getting them wrong range from illegal surveillance to extortion by ransomware to mass death," observes Schneier. "Governments will get involved, regardless. The risks are too great, and the stakes are too high. Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the US government like fear."

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.