Better IoT security requires a change in consumer culture and habits. But manufacturers should be doing more as well, with better guidance from government.
Ironically enough, the good news about the atrocious security of Internet of Things (IoT) devices might be that the bad news is getting a higher profile.
Stories about security cameras getting hacked, with attackers taunting users or trying to get children to say or do twisted things, aren’t just being covered in security blogs. They’re headlines in mainstream newspapers and highlights on evening news shows.
All of this helps with awareness. The word is spreading beyond security conferences to the general public that the IoT, while providing endless entertainment, magical convenience, lifesaving medical support, and more, is also the biggest cyber attack surface in the world.
It is fast becoming what many now call the Internet of Everything (IoE). And if consumers become more aware that the dazzling features of those devices come with risks, that is a good thing.
That doesn’t mean the problem is solved, however—not even close. Awareness doesn’t mean expertise. Users might know that compromised smart home devices could allow attackers to unlock their doors or spy on them and their children, but that doesn’t mean they know how to harden the security of those devices or their home networks.
Indeed, it’s a stretch to expect they would. When it comes to cars, all drivers know how to operate the brakes. But that doesn’t mean they have the expertise to analyze whether the brakes are safe when they drive their new car off the lot. They assume (as they should, given automotive safety standards) that the brakes will work.
We aren’t there with IoT devices.
A recent advisory from an Oregon FBI office on “building a digital defense in your Internet of Things” offers an example.
It noted that in addition to smart TVs, homeowners should be aware of “everything else in your home that connects to the world wide web … digital assistants, smart watches, fitness trackers, home security devices, thermostats, refrigerators, and even light bulbs.”
Among the agency’s recommendations:
So, five easy steps to better security and you’re good to go? Not so much.
First, as any mainstream consumer could tell you, those are not all easy. Jennifer Janesko, senior consultant at Synopsys, said it is “a good step that the FBI is offering a laundry list of actions that users can take to protect themselves,” adding that each one makes sense, given that each addresses a recent set of attacks.
“But the majority of the recommendations are not going to be actionable by the typical end user,” she said.
As an example, she cited “Janis,” a family member who has numerous connected devices in her home—“router, laptop, tablet, security camera, smart vacuum cleaners, multifunctional devices, smart television, etc.”
Janesko said when she visits Janis, a few “innocent” questions about the functioning or performance of those devices guarantee that “I will spend an entire day taking her network or device apart, performing upgrades, maintenance, or security scans, and then fixing things to be more secure.”
“Day to day, she doesn’t worry about how her network is configured, and she adds and removes devices according to the manufacturer instructions and/or the wizards that are presented when you first turn a device on.”
Obviously, not everybody is fortunate enough to have an IT expert in the family. So if Janis were like the rest of us, how would she do with that FBI list? Probably not so well, Janesko acknowledges.
Start with the firmware update. While many have heard the term, most don’t understand what firmware is or even if their devices contain it.
“If Janis gets explicit instructions from a manufacturer to update her firmware, because she has registered it, she will do it,” Janesko said. “But it is highly unlikely she will do it because the FBI says so. They did not provide step-by-step instructions, and each device update process is different.”
And searching online to find instructions on how to update firmware can be “overwhelming,” she said, given that user manuals frequently cover multiple devices. “The instructions may not exactly match the firmware version that is running on the actual device. Hence, it will be intimidating.”
Then there is changing the default password, probably the most practical and feasible recommendation on the list. But even that comes with its own complications. Some devices may not even offer that option.
Beyond that, “users may not be aware how to do this on the device. And aside from reusing their own passwords, how do they select a password that is strong and hasn’t already been reused?” Janesko said. “Users need a generic way to generate strong passwords for these devices, like using passphrases and/or a generic, cross-platform tool like KeePass. It would also make sense to suggest for them a minimum length for the passwords/passphrases.”
And while multifactor authentication is “much, much more powerful than password protection, there are some barriers,” she said. Among them, “you have to have an additional device. This means Janis would need to go out and buy it or order it online. Unless she is forced to do so, she is not going to do it.”
“We need an agreed-upon path for authentication. It must be easy,” she said.
Probably the least feasible recommendation for the average user: Create a guest home network. A bit like expecting car owners to do their own brake jobs.
“Janis will not be able to do this on her own,” Janesko said. “She will have to contract someone to do it.”
Jeff Wilbur, technical director at the Online Trust Alliance (OTA), argues that if users work at it, they can become more capable in managing the security of their devices, even if some of the recommendations from the FBI “may be out of the norm for most users, and require some research to perform the first time.”
He said the recommendations are, in general, “practical and straightforward, and in line with those made by us and others.”
Still, as Janesko notes, once people have spent money on a device, struggled through the setup and configuration, downloaded the accompanying app, and configured it, they aren’t likely to follow recommendations they don’t understand.
Limiting the permissions of apps, while less complicated than setting up a guest network, is one of those things.
Even if Janis finds out that that the app is “asking for something strange, like access to your photo album or location, after the outlay of money and the time setting things up, is she really going to worry about this permission? What about the permissions that have descriptions that she doesn’t understand? I suspect she will simply accept the risk and let the app remain installed on her device.”
She and just about everybody else.
This, of course, doesn’t mean consumers bear no responsibility. “Buyer beware” has been a principle for centuries. Still, when the risks are largely hidden and the average user doesn’t understand them, it’s easy to focus on what a device will do for you, ignoring what it could allow someone to do to you.
But Wilbur said there is help for those who are willing to look for it. “In the Internet Society’s IoT Trust Framework, we cover many of these issues, including principles such as limiting the number of login tries before locking out attempts for a period of time,” he said.
He noted that Mozilla, which operates the Firefox browser, offers a buying guide for IoT products called *privacy not included and that Mozilla, Consumers International, and the Internet Society have created a list of minimum security standards that all IoT devices should meet, including encrypted communications, security updates, strong passwords, vulnerability management, and privacy practices.
Janesko said that on the consumer side, addressing the problem will require a “cultural change and education. There needs to be training/awareness campaigns for everyone” on things like authentication and managing permissions.
But she said manufacturers and vendors should be doing a lot more as well, starting with hardening the security of devices and make it easier for users to configure and control them. “This would require some level of threat modeling whereby the apps and their permissions are evaluated by professionals who are aware of the latest abuse cases and can visualize new abuse cases,” she said.
It will also likely take some government or regulatory consistency, which she said will not be happening with the “unenforceable” California Consumer Protection Act (CCPA), which took effect Jan. 1, 2020. She said the U.K.’s Code of Practice for Consumer IoT Security is much better.
In her view, the IoT “security standards” landscape is much too confusing at this point. “There are way too many organizations that have their own standards now—manufacturers are likely to wait and see what they will be forced to do rather than selecting one standard and it being the ‘wrong’ one,” she said. But she added that NIST (National Institute of Standards and Technology) is “often the go-to organization for setting standards in the U.S., and they have been rapidly building out their IoT recommendation set.”
Fundamentally, the only hope for long-term substantive change is for security management to make it a habit, Janesko said, “like brushing your teeth two times per day, wearing a coat when it is cold outside, and locking a door when you leave your home. Education should start in schools, but we have to find a way to address the folks who are out of school.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.