Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/20/2019
10:00 AM
Sivan Rauscher
Sivan Rauscher
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Safer IoT Future Must Be a Joint Effort

We're just at the beginning of an important conversation about the future of our homes and cities, which must involve both consumers and many players in the industry

Though much celebrated, the Internet of Things (IoT) has nevertheless opened a Pandora's box of new challenges in Internet security and data privacy. The need for some sort of oversight seems long overdue. But who should be responsible for ensuring safer IoT devices? Can manufacturers be trusted to provide effective safeguards on their own? Or will government be required to step in?

On March 11, 2019, members of the US Congress suggested a partial answer when it put forth the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which aims to "leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices." While the legislation does not demand standards, if passed, manufacturers must provide devices that are inherently more secure by design — in other words, constructed with internal security features and password protection — to be eligible for lucrative government contracts.

It's been a slow process. IoT devices, after all, have been around for almost 10 years, and US government agencies were aware of security issues at least by 2015. Nevertheless, many cybersecurity experts were suggesting legislation would be a "legal nightmare" and that the only solution was self-regulation. It was a similar situation in the UK. The UK government had previously stated its preference that the industry self-regulate, with some regulation where necessary. But it, too, is in the process of enacting laws aimed at better securing and protecting the data collected by connected devices.

What changed? There are still significant problems with many IoT devices currently available. Cybersecurity experts are also concerned about the longevity of these devices and the ability of manufacturers to provide security updates in a timely manner. A lightbulb may be short lived, but the lifespan of the average refrigerator is between 14 and 17 years. Will the manufacturer even still be in business then?

For these reasons, I think it's also inevitable that future legislation will go much further and establish basic security standards for all devices sold in the US, similar to California's IoT security law SB-327, which prohibits the use of easily hacked default passwords. Nevertheless, while government legislation has the potential to influence manufacturers and suppliers of IoT devices, it's important to look at the big picture.

At this time, we're just at the beginning of an important conversation about the future of our homes and cities, which must also involve many other players in the industry, such as network operators, service providers, cybersecurity professionals, educators, and consumer groups.

While the US Congress is focused on state-level security, privacy concerns of consumers must also be taken into consideration. According to a recent report from Consumers International and the Internet Society, 77% of respondents said data privacy and security are key contributors to their device buying decision-making. Nearly a third of respondents (28%) who haven't yet purchased a smart device said they will not buy one due to privacy and security misgivings.

Manufacturers are well aware of these concerns. Indeed, to protect their own reputations and businesses, they may go beyond any future government guidelines because a major security breach could be disastrous for them. Samsung, for example, recently revealed — completely on its own initiative —  that some of its televisions have vulnerabilities and provided scanning information online. Consumers, after all, do need to stay informed and take some responsibility for their home network safety. But that smart TV is just the beginning.

According to Gartner, by the end of this year, globally, around 14 billion IoT devices will be connecting to the Internet, and that number is predicted to grow to 25 billion devices by 2021. As a number of recent reports have shown, just one vulnerable IoT device can jeopardize an entire home network and threaten a person's privacy and personal security. Where infrastructure is concerned, the security and trustworthiness of an organization or even a public utility may be at risk. If we're to avoid another disaster like that which affected Ukraine, when Russian hackers were able to shut down portions of its power grid, we must work together to ensure everyone's concerns are being heard, from cybersecurity experts to city planners, especially with the further development of 5G networks.

For that reason, smart city conferences, focused on IoT security for industry and citizens, have begun to appear. In 2018, Tel Aviv hosted its first cybersecurity conference for "smart cities" attracting over 7,000 people, including 80 delegations from municipalities around the world.

Bringing together governmental representatives, cybersecurity professionals, tech giants, consumers, and researchers is definitely a step in the right direction. To learn and share knowledge, for example, at SAM Seamless Network, we have partnered with Internet service providers, gateway and IoT manufacturers, global device suppliers, and antivirus companies. We also participate in many working groups to influence the market on a higher level. In the end, securing IoT devices must be a joint effort.

Manufacturers must make IoT devices with the highest possible security measures built in, and make it easy for consumers to change passwords and update firmware. Consumers, for their part, must be prepared to learn how they can protect themselves. Internet service providers can protect the gateways to home networks. Governments must think and plan ahead, using the best data from all available sources, and with the input of consumers and vendors.

By working together, government, industry, SMBs, and consumers will enjoy all the benefits smart, secure IoT devices can offer, including more efficient homes and safer, more productive smart cities.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Sivan is Co-Founder and CEO of SAM Seamless Network, a software-only cybersecurity platform that provides security for unmanaged networks and IoT devices for homes and SMBs.    Prior to founding SAM, Sivan worked at Comsec Global, overseeing cyber projects and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ravidadhich
50%
50%
ravidadhich,
User Rank: Apprentice
4/18/2020 | 7:32:22 AM
What Reason Should You Go for IoT App Development in future?
Internet of Things (IoT) is a vast network of interconnected devices and things through the internet. Which is helpful to transfer, receive, collect and share the data without any direct connection. The first-ever idea which gave acceleration to IoT was a coke vending machine. After this invention, IoT development company started working on the concept behind the design.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177