Countries and service providers have issued strict security requirements for IoT device manufacturers. Vendors that comply with these requirements and get related certification to prove product security, then, can have a better chance at increasing sales.
Security attacks and breaches have become major issues in IoT. As a result, countries and service providers have issued strict security requirements
for IoT device manufacturers. Vendors that comply with these requirements and get related certification to prove product security, then, can have a better chance at increasing sales.
That was according to Daniel Liu, CTO of Onward Security who spoke at an information security forum held by Messe Frankfurt.
Needless to say, the Internet of Things (IoT) has become part of the daily life. Yet, being connected, these devices from smart locks to IP cameras
are as vulnerable as other network equipment to various types of attacks, which often exploit certain vulnerabilities, for example buffer overflow. Recently the so-called Ripple20 vulnerability has also been identified, affecting devices and systems used in the healthcare, transportation, manufacturing, telecoms and energy markets.
Both buffer overflow and Ripple20 can be used to further launch DDoS attacks against certain end user entities, crashing their systems. The most infamous incident occurred in 2016 when connected devices, including IP cameras and NVRs, were used to launch DDoS attacks against Internet management company Dyn, resulting in shutdowns of major websites including Amazon, Financial Times and Netflix.
Inevitably, these breaches can lead to negative consequences. “Your smart home devices being infected can result in, for example, a burglar opening your door without the alarm going off,” Liu said. “IoT security breaches can incur over US$500,000 per month in losses from repairs, recalls and lawsuits. They can also significantly reduce users’ willingness to use IoT devices.”
IoT device security regulations and guidelines
According to Liu, countries and certain service providers have issued related security regulations and guidelines
for IoT device manufacturers to follow. Among some examples are the California Security of Connected Devices Senate Bill, or SB-327, which states that IoT device makers must equip products with “reasonable security features that are appropriate to the nature and function of the device, appropriate to the information [the device] may collect, contain, or transmit, and designed to protect the device and the information it contains from unauthorized access, destruction, use, modification, or disclosure.”
Similarly, the European standard organization ETSI has issued TS 103 645, “Cybersecurity for Consumer Internet of Things: Baseline Requirements,” which, while not a law like SB-327, provides guidelines for devices manufacturers who are advised to: eliminate universal default passwords, implement a means to manage reports of vulnerabilities, keep software updated, securely store credentials and security-sensitive data, minimize exposed attack surfaces, ensure software integrity and make systems resilient to outages, among others.
Beyond countries and standardization bodies, service providers also have guidelines that device makers must follow to be able to sell to these providers. Amazon’s Alexa Voice Service (AVS), for example, asks partnering hardware makers to follow certain security requirements for example: using a secure software update distribution that uses cryptographic signing; implementing industry standard device-hardening methods; using TLS 1.2 or greater for all communications outside of initial setup; implementing certificate validation for all TLS connections; and validating that connections to the Alexa built-in device are signed using the correct Amazon certificate.
It is important, then, for device manufacturers to be compliant with these regulations or guidelines to be able to do business in the said regions or with the said service providers. To prove that products are secure, IoT vendors can get certification from prestigious certifiers such as U.S.-based CTIA’s Cybersecurity Certification Program, for which Onward runs testing labs. “The certification targets IoT devices using 4G, 5G, NB-IoT and Wi-Fi. Once you’ve passed the test you can get a logo that certifies that your products are secure,” Liu said.