The UK government is considering a proposal for a set of regulations that would ensure better cybersecurity of Internet of Things (IoT) devices. This includes mandatory unique passwords for devices and ensuring customers are aware of the security risks.
The UK government is considering a proposal for a set of regulations that would ensure better
cybersecurity of Internet of Things (IoT) devices. This includes mandatory unique passwords for devices and ensuring customers are aware of the security risks.
Given the growing popularity of
IoT devices at the consumer level and their inevitable cyber vulnerability, governments in other countries are also bringing in similar laws. Authorities in the state of California, for instance, have come up with a rule to get rid of default passwords.
How effective are IoT regulations?
That there is a
need for laws to protect IoT devices is quite clear. But how effective are these above-mentioned efforts? We recently talked to Aamir Lakhani, a cyber security researcher at Fortinet to get his views on the subject.
“The law in the UK is practical and a step in the right direction,” Lakhani said. “However, its effect will depend on the implementation of the rules. Many manufacturers use a device’s MAC address as the password. The MAC Address is the hardware address on the network (wired or wireless) connectivity hardware of the device. It is unique for every device. This is an easy way for manufacturers to come up with a unique password.”
However, MAC addresses of devices are advertised on local networks by the device itself, Lakhani added, pointing out the danger in this practice. Potential attackers could “listen” for that MAC address and capture it, and then use it to break into a system. Manufacturers not only need to have unique passwords, but they also need to make sure they are not easily guessed or cracked. Furthermore, they need to make sure they are following best practices by not allowing remote administration or access from people outside the local network.
The law banning default passwords is also a good step, according to Lakhani. There are hundreds of lists of default passwords for many products and manufacturers. Many users do not change the default password, creating a significant security risk.
What more can be done?
Although governments across the globe are considering ways to deal with
cybersecurity issues, the UK and California governments’ initiatives are some of the first to address consumer level issues in IoT devices. In Lakhani’s opinion, while this is a commendable measure, there are more steps that can be taken to make the laws stronger and more effective.
“I think this is a significant step,” Lakhani said. “I would also make sure the password cannot be obtained from network traffic through standard attacker techniques such as sniffing the network, which would mean they could not use the MAC address as their password. I would make the password available only internally to the device. Furthermore, I would ensure manufacturers support multiple types of open standard two-factor authentication as an option for more security minded users.”
What is the current situation on IoT security?
The number of IoT devices in the market are increasing at a fast pace. According to a report from Gartner, there will be 20.4 billion IoT devices by the year 2020, more than 30 percent from four years before that.
This increases the chances of hackers targeting IoT devices. To make things worse, many companies are not able to take better steps towards ensuring the solutions are as protected as possible.
A recent survey of 950 companies by the security firm Gemalto found that almost 50 percent of companies that use IoT at the workplace have no proper systems in place to detect breaches. Incidentally, 79 percent of the respondents want governments and other third-parties to come up with tougher standards.
What can consumers do for IoT security?
According to the cybersecurity solutions provider Norton, there are several steps that consumers can step to minimize the threats. Using strong passwords is an obvious step. Other measures include updating devices to the latest firmware and making sure that your devices themselves are not too old and easy to hack.