Responsibility for IoT security lies with vendors - study

The Broadband Internet Technical Advisory Group (BITAG) has challenged the industry to improve online security ahead of the IoT tsunami as its no-where near good enough at the moment.

Jamie Davies

November 24, 2016

4 Min Read
Responsibility for IoT security lies with vendors - study

The Broadband Internet Technical Advisory Group (BITAG) has challenged the industry to improve online security ahead of the IoT tsunami as its no-where near good enough at the moment.

The Internet of Things has been championed in recent years as a means for the telco industry to tackle eroding profits after those pesky internet kids came onto the scene. Text and voice calls were no longer revenue streams the telcos could rely on, but the growing euphoria surround IoT could generate serious cash.

However, with a broader scope of connectivity comes a responsibility for IoT vendors to improve security for the customer, according to BITAG, a US-centric advisory group which counts some of the largest telcos, internet players and manufacturers as members.

Security is not a new challenge, and neither is it a challenge which can be solved; for every advancement made by the industry, the threats will always be in line, or one ahead. However, the spread of IoT compounds the problem as the network perimeter becomes significantly larger, points of entry vastly increase and the technology will find its way into the hands of users who are less technically able or security conscious. The new connected world promises to be a monumental security headache.

“Although consumers face general security and privacy threats as a result of any Internet connected device, the nature of consumer IoT is unique in that it can involve non-technical or uninterested consumers, challenging device discovery and inventory on consumer home networks as the number and variety of devices proliferate, impacts on the Internet access service of both the consumer and others that run on shared network links, and effects on other services in that when IoT devices are compromised by malware they can become a platform for unwanted data traffic – such as spam and denial of service attacks – which can interfere with the provision of these other services,” the latest BITAG report reads.

Now that is a really long sentence, but it essentially means IoT brings internet connected technology into the hands of people who have not handled it before. They may not understand or comprehend the security threat, and therefore not consider the security requirements. This not only puts that consumer in a compromising position, but the network which the devices is connected to as well. BITAG’s position is the telcos and vendors will have to take a more responsible position to ensure devices, the users and the network remain safe.

But what are the vulnerabilities at the moment:

  • Lack of IoT supply chain experience with security and privacy

  • Lack of incentives to develop and deploy updates after the initial sale

  • These devices also create new risks and are susceptible to attacks inside the home. Because many home networks do not, by default, isolate different parts of the network from each other, a network connected device may be able to observe or exchange traffic with other devices on the same home network, thus making it possible for one device to observe or affect the behaviour of unrelated devices

  • Difficulty of secure over-the-network software updates, devices with constrained or limited hardware resources (precluding certain basic or “common-sense” security measures)

  • Devices with constrained or limited user-interfaces (which if present, may have only minimal functionality)

  • Devices with malware inserted during the manufacturing process

  • Many IoT devices send some or all data in cleartext, rather than in an encrypted form. Communications in cleartext can be observed by other devices or by an attacker

According to BITAG the industry is not in a great position at the moment and, to a degree, setting itself up for failure. Responsibility for security has to be taken from the top down, as it is the top level who will benefit the most of a successful IoT boom.

In terms of recommendations, BITAG has put forward a number of ideas including shipping devices with the most recent security software ( thought this was obvious…), devices should contain mechanisms to allow for automated security updates, encrypted communications should be standard, devices should be restrictive rather than permissive in communicating and should be able to continue to function if connectivity is disrupted or if the cloud back-end fails.

The world of IoT is yet to boom, but it is encouraging to see security concerns addressed prior to mass market penetration. In previous years it has been far too common for security features to be built in as opposed to designed it; BITAG’s call to action is comforting. Admittedly, just because BITAG is making noise does not mean the industry will follow through, but at least someone is making a fuss.

Get the latest news straight to your inbox.
Register for the newsletter here.

You May Also Like