The Broadband Internet Technical Advisory Group (BITAG), a non-profit coalition formed by technology companies such as Google, Mozilla, Microsoft, and Cisco, as well as ISPs such as AT&T, Comcast, and others, published its own recommendations for how Internet of Things devices should be secured.
The recent couple of massive DDoS attacks, capable of sending over 1 Tbps of data to their intended targets, have shown that IoT security needs to be treated much more seriously. Otherwise, millions (or soon, billions) of non-secure IoT devices could enable all sorts of attacks, making everyone a potential target. The attacks can disrupt services that everyone uses everyday, interfere with economic activity in general, or censor speech.
BITAG presented a few proposals that IoT manufacturers should adopt so that the internet can become safer against these attacks.
Observations From An Insecure Iot Ecosystem
The BITAG nonprofit made the following observations in regards to all the problems that plague existing IoT devices.
Outdated Software
According to BITAG, some IoT devices ship on the market with software that’s already outdated. That means devices could ship by default with security vulnerabilities, which could make them hackable from day one.
Although that should be an obvious problem to fix first, another more complex problem is that devices are left unpatched for too long after they are sold, or the support for them may drop too early. Support costs money, so many OEMs choose to update them rarely, and they drop support for them as soon as possible, as well.
This is essentially the same problem Android smartphones already have. However, it’s made worse in the IoT world, where customers may be more sensitive to product pricing, so manufacturers end up cutting costs on security and support.
Insecure Communications
It was only a few years ago that even some car manufacturers were transmitting updates to their “connected cars” through unencrypted HTTP connections, so it’s not much of a surprise that many IoT manufacturers also send their updates over the same.
Even when encryption is used, authentication may not be used, which also makes IoT devices susceptible to hacking and being taken over by botnets.
Data Leaks
The group observed that many devices leak data, either from the insecure servers of the companies that store IoT data and analyze it, or the IoT devices leak the data to other devices in the same network or from neighboring networks.
Susceptibility To Malware Infections
Many IoT devices don’t have the necessary security features to protect them against being taken over by malware. That makes it easier to be taken over by botnets as well, and only makes the lack of updates situation worse. At least devices that have good anti-exploitation security measures could better withstand future attacks even if they aren’t updated often or any more.
Potential For Service Disruptions
Loss of service could be highly dangerous for certain IoT devices, such as home alarms and security systems, where a disruption in their service means the home isn’t protected anymore. Burglars could take advantage of such vulnerabilities to break into homes.
BITAG Security Recommendations
After releasing its observations about the current IoT security ecosystem, the BITAG nonprofit also released a series of recommendations for how the security of IoT devices could be improved.
Use Best Current Software Practices
In terms of software updates, the nonprofit group recommended that no device should ship with major known vulnerabilities. That means if the manufacturer is already aware of a major security issue in its software, but it hasn’t had time to fix it by the release date of the device, then it should postpone that release until the software is fixed.
The group also recommended that IoT devices should be updated automatically, without user intervention, and the updates should be done securely. The manufacturers should design their devices as if bugs will be discovered and they will need to be patched.
One of the biggest problems with IoT devices is that they use default credentials such as “admin/admin.” This makes it easy for IoT botnets to hack into them and take over them. Many of the surveillance cameras that participated in the Dyn DDoS suffered from the same issue.
More testing before shipping for different configurations of the IoT software should also be done, according to BITAG.
Follow Security And Cryptography Best Practices
BITAG said that IoT manufacturers should use TLS encryption and protocols that aren’t already known to have major weaknesses or small key sizes. Additional encryption best practices include:
Encrypt configuration communications by defaultSecure communications to and from IoT controllersEncrypt local storage of sensitive dataAuthenticate communications, software changes, requests for dataUse unique credentials for each deviceUse credentials that can be updatedClose unnecessary ports and disable unnecessary servicesUse libraries that are actively maintained and supported
IoT Communications Should Be Restrictive
By default, most inbound communications to IoT devices should be restricted. The devices shouldn’t rely on a firewall alone to restrict communications, as that could also cause some issues with other home devices that won’t be able to traverse the firewall.
Devices Should Be Resilient To Service Disruption
IoT devices shouldn’t completely fail to work when their internet connectivity is gone. For instance, you wouldn’t want your “smart lightbulb” to stop working if there is no internet. The same goes for security systems or surveillance cameras that may require cloud access to work properly. BITAG recommended that the devices should at least continue to perform basic functions when internet connectivity or the server back-end fails.
This may also apply to situations where a manufacturer or vendor closes down, and the devices that have already been sold stop working, as has already happened in at least one case.
IPv6 And DNSSEC Support
The nonprofit recommended that all IoT devices should support the latest version of the IP protocol, as well as the DNSSEC protocol when domain names are used. Considering how many IoT devices are expected to appear on the market over the next decade, it makes sense to support IPv6, because IPv4 addresses are already running out.
IoT Supply Chain Should Also Consider Security
Vulnerabilities could be introduced in the components being delivered by a supply chain that doesn’t take security seriously. Therefore, IoT manufacturers should also work with their partners to ensure that every component is backdoor- and vulnerability-free across the supply chain.
Privacy & Other Rights
IoT devices should ship with an easy-to-understand and easy-to-find privacy policy. IoT devices are going to collect increasingly more data about their surroundings, which sometimes may even include voice recordings. That’s why it’s important for customers to understand what they’re buying, and if necessary, how to configure devices so that their privacy is protected.
BITAG also believes that manufacturers should disclose if they or a third-party may decrease the functionality of the sold devices remotely, for various reasons.
Industry Cybersecurity Group & Security Certification
BITAG recommended that IoT manufacturers should join together to create an industry group that will be in charge of defining all the security best practices that should be implemented by IoT devices. The group could then certify devices with some kind of “Secure IoT Device” logo on the retail package.
This seems like a proposal that’s meant to preempt imminent government regulations. The EU is already considering a similar labeling and rating system, and other governments may be looking at what regulations to impose on IoT companies. However, if the industry delivers a serious effort towards self-regulation and towards creating much more secure IoT devices by default, much of that may be avoided.
BITAG’s proposals are a good start for IoT manufacturers that would want to secure their devices. However, this is no guarantee that anyone in the IoT industry will listen. A certification program will also be necessary to encourage compliance with security best practices.
All of these decisions could take a few more years, time in which millions more insecure devices could be delivered on the market, so the IoT botnet problem will likely stick with us for at least a while longer.
