IoT security: Where there is smoke, there is fire

Posted by Jim Ivers on Friday, September 1, 2017

There has been a lot of smoke lately, so it is likely there is an interesting IoT security fire burning. Let’s examine the problem and how to fix it.

The original version of this post was published on SecurityWeek.

We have collectively heard the saying, “where there is smoke, there is fire” throughout our lives. And, sure enough, it is true far more often than it is false. I have been seeing a lot of smoke lately, so I suspect that there is an interesting fire burning.

First, the smoke

The first sign of smoke was a public service announcement (PSA) by the Federal Bureau of Investigation (FBI) on July 17. The PSA, “Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children,” was an interesting warning about the risks associated with connected toys. The PSA concisely explains why connected toys create risks, why those risks can affect children, and how families can take steps to minimize the risks.

For those who have visited this column before, you know I have tracked the connected toy issue in other articles such as “The Connected Toy Conundrum Is Beginning to Boil.” I remain puzzled that there has not been more outcry from the consumer public on the issue. I also continue to wonder when the government will feel compelled to address the risks for children. Therefore, the FBI PSA definitely caught my attention.

The second billow of smoke emerged in the form of a document distributed by the Cybersecurity Unit of the United States Department of Justice (DOJ) in conjunction with the Consumer Technology Association (CTA), called “Securing Your ‘Internet of Things’ Devices,” published in July. This document addresses the issue in the context of the broad Internet of Things (IoT) market. It too describes the risks and the possible consequences. But, it also focuses on a list of steps consumers could perform to protect themselves from attack.

More smoke appeared on the horizon when a bill to address IoT security – albeit for a narrow use case – was introduced into the U.S. Senate. The bill compels IoT manufacturers that target the government market to ensure their products demonstrate basic security.

Now, the fire

My takeaway from these two documents is the assumption that the DOJ (the FBI is part of the DOJ) is seeing enough activity surrounding connected toys and IoT to prompt them to act by educating the consumer.

I have had the privilege of making friends who work for the FBI, and too have engaged them for business in my various pursuits. While the FBI is diligent about all crime, I learned quickly that the people of the FBI take the welfare of children quite seriously. If you read between the lines of the PSA, I am confident in assuming they are encountering cases involving children where information such as their name, home address, and the name of their schools were compromised through connected toys. The frequency was clearly enough to spur the FBI to action.

The broader DOJ document cites Mirai malware as illustrative of the problem at hand. However, it is not hard to extrapolate that the DOJ’s Cybersecurity Unit is seeing more evidence of similar attacks in the devices currently flooding the market.