In 2016, one of the worst DDoS attacks in history was unleashed upon the Internet. Spotify, Twitter, Etsy, Visa, and numerous other companies fell victim to what we now know as the Mirai botnet -- a powerful form of malware that exploited unsecure IoT devices and left nearly 65,000 of them infected within the first 20 hours alone. One of the most shocking parts of it all was that those ultimately convicted of the crime weren't nation-state terrorists or sophisticated cyber warfare criminals, as originally expected. Instead, they were found to be three clever college students who originally hoped to profit off the popular video game, Minecraft, but only left chaos in their wake.
It was one of the major events that opened the world's eyes to how vulnerable these devices are and how easily they can be taken advantage of - enough to completely devastate consumers, businesses, and any number of organizations.
Nearly four years later though, there is still yet to be universally recognized IoT security standards in place to significantly reduce future risk on a global level - leaving government bodies, agencies, and oftentimes individual manufacturers to dictate their approach independently of one another. With such extreme fragmentation, including across the United States, it's become even harder for manufacturers, carriers, and technology providers alike to ensure that products and the overall supply chain are secure, that this is achieved at the scale required, and that the process altogether avoids significantly hefty costs.
A Look at the Status in the States
The U.S. has both state-driven as well as federal regulations either in place or underway. California for instance was one of the first to step up by enacting the State Bill 327, but it left some important questions unanswered. For instance, removing preprogrammed passwords was key, but its clause around reasonable security begged the question, "what exactly can be considered reasonable"? Oregon's House Bill 2395 also included similar "reasonable security" and "preprogrammed password" language but took it a bit further by adding requirements for authentication before one can gain access to connected devices for the first time. It took a half step backward, however, by noting it was only upheld if there was no federal law in place. And while Virginia also passed its own House Bill 2793 that dictated the number of characters and numbers needed for passwords, this can become problematic when - say - a manufacturer is shipping connected light bulbs to one state that needs a 15-character password versus another that calls for 15, plus additional special characters. Overall, with the potential for 50 states to uphold different laws and regulations, it makes for an incredibly complex web to navigate in the future.
At the federal level, Congress has also tried to tackle these issues by introducing not one, but two different bills: The Cyber Shield Act and the IoT Improvement Act, neither of which have been officially enacted yet. The latest version of the IoT improvement Act follows guidelines put forth by the standards group the National Institute of Standards and Technology (NIST). NISTIR 8259A does a good job of following best practices around device identification, data protection, software updates, and device configuration, but guidelines don't always serve as testable standards and since 8295A deviates from European standards, it can pose difficult challenges for anyone shipping internationally. The current fight for global regulations has also been moved up to the International Organization for Standardization (ISO), though concrete enforcement there is still to be determined.
The European Approach
In Europe, things are a little bit more clear. The EN 303 645 regulation, which can be traced back to the IoT code of practice that the UK government put forth, initially offered 13 main principles. It has since expanded to include around 60 different elements, but at its core are three main requirements: vulnerability disclosure policies, no default passwords, and the ability to keep software updated and upgradable -- all of which are important. Other guidelines, however, that are predominantly tied to GDPR and consumer data privacy make things much more complicated, especially when companies are tasked with disclosing granular details such as what sensors are in each device or what data is in the telemetry. Not to mention that validating input data is important to do as best practice, but not as easily achieved at mass scale and across intricate supply chains.
An Example from Asia
In 2019, Japan launched the National Operation Towards IoT Clean Environment (NOTICE) Project, in which the government decided to take a policing approach to IoT security. The Ministry of Internal Affairs and Communications (MIC) and the National Institute of Information and Communications Technology (NICT) in cooperation with Internet Service Providers (ISPs) were given permission to scan consumer networks to determine if devices in consumers' homes were at risk of exposure. ISPs would then notify them of unsecured products. Within the first six months of this project, tens of millions of devices were scanned and around 150 notices per day went to carriers and ISP providers. While that wouldn't necessarily be considered an outrageous number outright, the fact that it was related to cameras, set-top boxes and DVRs and found each day allowed for totals to quickly climb and ultimately wreak havoc. It's certainly interesting to see the government take a much more aggressive path to drive IoT security than in the U.S. and Europe, but it still can leave many informed of their unsecure or hacked device without much context on what to actually do to address it after the fact and confused on next steps. It also doesn't directly address the broader issue around IoT security standards.
Although one could argue that each of these methods -- the policing approach in Japan, consumer-driven tactics from Europe, and a device-centric technique in the U.S. -- are the most effective way to address IoT security, the more important point is that fragmentation at any level limits widespread progress, and a lack of direction for manufacturers trying to deploy global products and services has and will continue to result in problems. In fact, despite these efforts, continued hacks and malicious attacks today are strong evidence of the need for globally adopted, replicable standards that successfully harmonize versus isolate IoT security regulations. To achieve this, strategic cooperation is necessary between both industry leaders and regulators, who take the necessary steps to develop global standards that can be applied to all connected devices, are testable, and will have a direct (and positive) impact on the end consumer.
About the author: Brad Ree is the chief technology officer of ioXt. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Brad holds over 25 patents and is former Security Advisor Chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, Brad was vice president of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.
