Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/20/2019
10:00 AM
Sivan Rauscher
Sivan Rauscher
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Safer IoT Future Must Be a Joint Effort

We're just at the beginning of an important conversation about the future of our homes and cities, which must involve both consumers and many players in the industry

Though much celebrated, the Internet of Things (IoT) has nevertheless opened a Pandora's box of new challenges in Internet security and data privacy. The need for some sort of oversight seems long overdue. But who should be responsible for ensuring safer IoT devices? Can manufacturers be trusted to provide effective safeguards on their own? Or will government be required to step in?

On March 11, 2019, members of the US Congress suggested a partial answer when it put forth the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which aims to "leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices." While the legislation does not demand standards, if passed, manufacturers must provide devices that are inherently more secure by design — in other words, constructed with internal security features and password protection — to be eligible for lucrative government contracts.

It's been a slow process. IoT devices, after all, have been around for almost 10 years, and US government agencies were aware of security issues at least by 2015. Nevertheless, many cybersecurity experts were suggesting legislation would be a "legal nightmare" and that the only solution was self-regulation. It was a similar situation in the UK. The UK government had previously stated its preference that the industry self-regulate, with some regulation where necessary. But it, too, is in the process of enacting laws aimed at better securing and protecting the data collected by connected devices.

What changed? There are still significant problems with many IoT devices currently available. Cybersecurity experts are also concerned about the longevity of these devices and the ability of manufacturers to provide security updates in a timely manner. A lightbulb may be short lived, but the lifespan of the average refrigerator is between 14 and 17 years. Will the manufacturer even still be in business then?

For these reasons, I think it's also inevitable that future legislation will go much further and establish basic security standards for all devices sold in the US, similar to California's IoT security law SB-327, which prohibits the use of easily hacked default passwords. Nevertheless, while government legislation has the potential to influence manufacturers and suppliers of IoT devices, it's important to look at the big picture.

At this time, we're just at the beginning of an important conversation about the future of our homes and cities, which must also involve many other players in the industry, such as network operators, service providers, cybersecurity professionals, educators, and consumer groups.

While the US Congress is focused on state-level security, privacy concerns of consumers must also be taken into consideration. According to a recent report from Consumers International and the Internet Society, 77% of respondents said data privacy and security are key contributors to their device buying decision-making. Nearly a third of respondents (28%) who haven't yet purchased a smart device said they will not buy one due to privacy and security misgivings.

Manufacturers are well aware of these concerns. Indeed, to protect their own reputations and businesses, they may go beyond any future government guidelines because a major security breach could be disastrous for them. Samsung, for example, recently revealed — completely on its own initiative —  that some of its televisions have vulnerabilities and provided scanning information online. Consumers, after all, do need to stay informed and take some responsibility for their home network safety. But that smart TV is just the beginning.

According to Gartner, by the end of this year, globally, around 14 billion IoT devices will be connecting to the Internet, and that number is predicted to grow to 25 billion devices by 2021. As a number of recent reports have shown, just one vulnerable IoT device can jeopardize an entire home network and threaten a person's privacy and personal security. Where infrastructure is concerned, the security and trustworthiness of an organization or even a public utility may be at risk. If we're to avoid another disaster like that which affected Ukraine, when Russian hackers were able to shut down portions of its power grid, we must work together to ensure everyone's concerns are being heard, from cybersecurity experts to city planners, especially with the further development of 5G networks.

For that reason, smart city conferences, focused on IoT security for industry and citizens, have begun to appear. In 2018, Tel Aviv hosted its first cybersecurity conference for "smart cities" attracting over 7,000 people, including 80 delegations from municipalities around the world.

Bringing together governmental representatives, cybersecurity professionals, tech giants, consumers, and researchers is definitely a step in the right direction. To learn and share knowledge, for example, at SAM Seamless Network, we have partnered with Internet service providers, gateway and IoT manufacturers, global device suppliers, and antivirus companies. We also participate in many working groups to influence the market on a higher level. In the end, securing IoT devices must be a joint effort.

Manufacturers must make IoT devices with the highest possible security measures built in, and make it easy for consumers to change passwords and update firmware. Consumers, for their part, must be prepared to learn how they can protect themselves. Internet service providers can protect the gateways to home networks. Governments must think and plan ahead, using the best data from all available sources, and with the input of consumers and vendors.

By working together, government, industry, SMBs, and consumers will enjoy all the benefits smart, secure IoT devices can offer, including more efficient homes and safer, more productive smart cities.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Sivan is Co-Founder and CEO of SAM Seamless Network, a software-only cybersecurity platform that provides security for unmanaged networks and IoT devices for homes and SMBs.    Prior to founding SAM, Sivan worked at Comsec Global, overseeing cyber projects and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.