Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/20/2019
10:00 AM
Sivan Rauscher
Sivan Rauscher
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Safer IoT Future Must Be a Joint Effort

We're just at the beginning of an important conversation about the future of our homes and cities, which must involve both consumers and many players in the industry

Though much celebrated, the Internet of Things (IoT) has nevertheless opened a Pandora's box of new challenges in Internet security and data privacy. The need for some sort of oversight seems long overdue. But who should be responsible for ensuring safer IoT devices? Can manufacturers be trusted to provide effective safeguards on their own? Or will government be required to step in?

On March 11, 2019, members of the US Congress suggested a partial answer when it put forth the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which aims to "leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices." While the legislation does not demand standards, if passed, manufacturers must provide devices that are inherently more secure by design — in other words, constructed with internal security features and password protection — to be eligible for lucrative government contracts.

It's been a slow process. IoT devices, after all, have been around for almost 10 years, and US government agencies were aware of security issues at least by 2015. Nevertheless, many cybersecurity experts were suggesting legislation would be a "legal nightmare" and that the only solution was self-regulation. It was a similar situation in the UK. The UK government had previously stated its preference that the industry self-regulate, with some regulation where necessary. But it, too, is in the process of enacting laws aimed at better securing and protecting the data collected by connected devices.

What changed? There are still significant problems with many IoT devices currently available. Cybersecurity experts are also concerned about the longevity of these devices and the ability of manufacturers to provide security updates in a timely manner. A lightbulb may be short lived, but the lifespan of the average refrigerator is between 14 and 17 years. Will the manufacturer even still be in business then?

For these reasons, I think it's also inevitable that future legislation will go much further and establish basic security standards for all devices sold in the US, similar to California's IoT security law SB-327, which prohibits the use of easily hacked default passwords. Nevertheless, while government legislation has the potential to influence manufacturers and suppliers of IoT devices, it's important to look at the big picture.

At this time, we're just at the beginning of an important conversation about the future of our homes and cities, which must also involve many other players in the industry, such as network operators, service providers, cybersecurity professionals, educators, and consumer groups.

While the US Congress is focused on state-level security, privacy concerns of consumers must also be taken into consideration. According to a recent report from Consumers International and the Internet Society, 77% of respondents said data privacy and security are key contributors to their device buying decision-making. Nearly a third of respondents (28%) who haven't yet purchased a smart device said they will not buy one due to privacy and security misgivings.

Manufacturers are well aware of these concerns. Indeed, to protect their own reputations and businesses, they may go beyond any future government guidelines because a major security breach could be disastrous for them. Samsung, for example, recently revealed — completely on its own initiative —  that some of its televisions have vulnerabilities and provided scanning information online. Consumers, after all, do need to stay informed and take some responsibility for their home network safety. But that smart TV is just the beginning.

According to Gartner, by the end of this year, globally, around 14 billion IoT devices will be connecting to the Internet, and that number is predicted to grow to 25 billion devices by 2021. As a number of recent reports have shown, just one vulnerable IoT device can jeopardize an entire home network and threaten a person's privacy and personal security. Where infrastructure is concerned, the security and trustworthiness of an organization or even a public utility may be at risk. If we're to avoid another disaster like that which affected Ukraine, when Russian hackers were able to shut down portions of its power grid, we must work together to ensure everyone's concerns are being heard, from cybersecurity experts to city planners, especially with the further development of 5G networks.

For that reason, smart city conferences, focused on IoT security for industry and citizens, have begun to appear. In 2018, Tel Aviv hosted its first cybersecurity conference for "smart cities" attracting over 7,000 people, including 80 delegations from municipalities around the world.

Bringing together governmental representatives, cybersecurity professionals, tech giants, consumers, and researchers is definitely a step in the right direction. To learn and share knowledge, for example, at SAM Seamless Network, we have partnered with Internet service providers, gateway and IoT manufacturers, global device suppliers, and antivirus companies. We also participate in many working groups to influence the market on a higher level. In the end, securing IoT devices must be a joint effort.

Manufacturers must make IoT devices with the highest possible security measures built in, and make it easy for consumers to change passwords and update firmware. Consumers, for their part, must be prepared to learn how they can protect themselves. Internet service providers can protect the gateways to home networks. Governments must think and plan ahead, using the best data from all available sources, and with the input of consumers and vendors.

By working together, government, industry, SMBs, and consumers will enjoy all the benefits smart, secure IoT devices can offer, including more efficient homes and safer, more productive smart cities.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Sivan is Co-Founder and CEO of SAM Seamless Network, a software-only cybersecurity platform that provides security for unmanaged networks and IoT devices for homes and SMBs.    Prior to founding SAM, Sivan worked at Comsec Global, overseeing cyber projects and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ravidadhich
50%
50%
ravidadhich,
User Rank: Apprentice
4/18/2020 | 7:32:22 AM
What Reason Should You Go for IoT App Development in future?
Internet of Things (IoT) is a vast network of interconnected devices and things through the internet. Which is helpful to transfer, receive, collect and share the data without any direct connection. The first-ever idea which gave acceleration to IoT was a coke vending machine. After this invention, IoT development company started working on the concept behind the design.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.