LONDON, UK – Internet of things (IoT) device security continues to worry the tech industry – however, experts believe that the right type of global regulation could be key for ensuring security standards. The question is when those regulatory efforts will be fleshed out.
Ken Munro, with Pen Test Partners, said in a Wednesday Infosecurity Europe session that he hopes regulation will change the way that manufacturers enforce security measures in their connected devices.
“I think regulation in consumer IoT is actually an enabler,” he said. “I’m really hoping we’ll see regulation in the UK for the next year, to drive behavior of manufacturers and security for devices.”
Bad IoT
Insecure connected devices are nothing new, and Munro listed out a slew of recently discovered insecure IoT devices. Those include popular smartwatch TicTocTrack, which was discovered to be riddled with security issues that could allow hackers to track and call children; vulnerabilities in an internet-connected kettle (dubbed iKettle); and an Enox smart watch that was banned by the Icelandic data protection authority for leaking children’s location data.
Perhaps the most infamous of these incidents is Genesis Toys’ My Friend Cayla doll, which was banned in Germany in 2017 and labeled an “espionage device” due to vulnerabilities that allowed takeover by third parties.
Munro said that five years ago, he believed that market pressures would drive security for IoT devices; and hoped that the connected device state of security would improve.
“The problem is, it’s not getting better, in fact it’s getting worse,” he said. “That’s why I think we’re going to need regulation.”
Several attempts at IoT security regulation do exist globally.
The closest of these to become law in the U.S. is the California Senate Bill 327 (SB-327), which would require “reasonable security feature or features that are appropriate to the nature and function of the device.”
SB-327 was first proposed in 2018 and will become law in January 2020. While the bill has drawn backlash from the security community for not going far enough, Munro said that “it mandates reasonable security features for smart-tech manufacturers,” such as enforcing unique passwords for IoT devices.
Other U.S. regulation efforts around IoT — including Sen. Mark Warner’s (D-Va.) IoT Cybersecurity Improvement Act of 2017 — are also ramping up.
Meanwhile, earlier this year the U.K. government announced a new mandate promising new requirements for IoT manufacturers. Those including improvements around unique device passwords and policies around security updates.
NIST is working on organizing “considerations” for manufacturer IoT security measures that they recommend, said Munro. And, NIST’s EU counterpart, ENISA (European Union Agency for Network and Information Security), published baseline security recommendations for IoT devices.
Munro stressed that laws regulating IoT security have been met with backlash from vendors who have argued that regulation will stifle innovation or increase costs for devices. In particular, the laws may face a legal challenge from the auto industry, which is afraid that regulation might impact their business (as cars are becoming increasingly software-driven).
However, “I do not agree,” said Munro. “I think that standards help us build, because when one goes to market they now understand basic standards. My Friend Cayla would be secure with one simple change for instance, a Bluetooth PIN.”
While regulatory efforts are on the table, the actual implementation of those mandates may take much longer, said Munro. Automotive manufacturers may have a three-year lag when it comes to effectively implementing IoT security measures at scale due to complex systems, for instance.
In the meantime, Munro stressed that manufacturers need to focus on an array of security aspects with connected devices, including selecting their base hardware carefully (make sure the chip has secure storage, a lockable bootloader, toolchain access, etc.), ensuring that firmware and software is developed by developers who can demonstrate good security expertise, and getting third party advice early on.
“It’s a step in the right direction. Regulation is in the discussion and we’ll potentially see it in 2020,” said Munro.