Modern field guide to security and privacy

Vulnerable connected devices a matter of 'homeland security'

Top government officials such as Homeland Security chief Jeh Johnson are urging device makers to secure everyday objects that connect to the internet.

Gary Cameron/Reuters
Department of Homeland Security Secretary Jeh Johnson (c.) waited to testify at the Senate Homeland Security and Governmental Affairs Committee in Washington on Sept. 27.

After recent internet attacks have thrown rampant insecurities of internet-connected cameras, video recorders, and other gadgets into sharp relief, Washington lawmakers and officials are urging tech firms and electronics companies to do more to secure the so-called Internet of Things.

In perhaps the biggest internet assault of its kind last month, malicious attackers used specialized software to direct bogus web traffic from millions of ordinary consumer electronics at a key piece of internet infrastructure, crippling websites such as Amazon and The New York Times.

It was the first cyberattack to really demonstrate how an absence of security controls in the millions of everyday products linked to the web poses a threat to the entire internet. With analyst firms such as Gartner predicting more than 20 billion objects will be connected to the internet over the next few years, concerns are mounting quickly.

At a House Energy and Commerce subcommittee hearing this week, worried lawmakers said the attacks raised national security concerns and raised questions about the need for government intervention.

"The knee-jerk reaction might be to regulate the Internet of Things," said Rep. Greg Walden (R) of Oregon. "While I'm not taking a certain level of regulation off the table the question is whether we need a more holistic approach."

In separate but related announcements, the Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST) this week published independent sets of security recommendations for Internet of Things, or IoT, developers, manufacturers, service providers and business level consumers. 

The recommendations ranged from high-level advice on the need for manufacturers to bake in security at the product design phase to detailed technical measures for determining the trustworthiness of devices connected to the Internet.

Infographic by Dawn Furnas for The Christian Science Monitor

"The growing dependency on network-connected technologies is outpacing the means to secure them," warned DHS Secretary Jeh Johnson in releasing the guidance. Everything from self-driving cars to the systems that control delivery of water and power to homes are internet connected. "Securing the Internet of Things has become a matter of homeland security."

Changes are happening in industry as well. Brian Scriber, security ambassador for the Open Connectivity Foundation (OCF), an organization trying to develop a communication standard for IoT devices, says manufacturers are taking multiple measures to mitigate risks.

OCF member companies have begun considering an array of questions like whether support and maintenance portals are available for their products, whether passwords are unique to each device and how easily accessible they are to others, over the web.

Tech companies have also begun scrutinizing issues such as how devices are authenticated and authorized on a network so they can be strengthened, says Mr. Scriber. OCF members include several technology giants like Microsoft, Cisco, GE, LG, and Sony. "Over the long term, standards around security practices best help protect consumers," he says.

The efforts represent the first, if somewhat tentative, efforts to address a problem that security experts have been warning about a long time but had not expected would happen so soon. Few, though, are holding out hope for any quick change.

"In the short term, consumers are pretty much up a creek without a paddle," says Kevin Fu, associate professor in the electrical engineering and computer science department at the University of Michigan. 

"In the long term, it's going to take sustained support from government, industry, and universities to get security built into the billions of emerging IoT devices," says Dr. Fu, who was an expert witness at the House hearing this week. 

IoT security has become a major issue following an October attack on Dyn, a provider of critical internet infrastructure services to several major web companies. 

Attackers overwhelmed Dyn's infrastructure with a distributed denial of service, or DDoS, attack. The attack was carried out via Mirai, a zombie network made up hundreds of thousands of malware-infected network connected "things" such as digital video recorders and home internet routers. The Mirai attack on Dyn had a ripple effect across the internet, crippling sites such as Amazon, Spotify and Netflix. 

The question now is how quickly and to what extent the problem can be addressed.

There's little, for instance, that can be done to secure the millions of vulnerable IoT devices that are already installed in homes and offices around the world, or for that matter are part of the Mirai network. 

Most of these products are hard to retrofit and many are not designed to automatically receive security updates and patches over the web. Even if the devices can be updated, there are few standard mechanisms for discovering them or for notifying consumers about the patches, where to find them and how to apply them.

"Today for most IoT devices, including home routers, the onus is up to the user to check for new firmware, download the firmware, log into the device and apply the firmware just to get rid of known vulnerabilities," says T. Roy, chief executive officer of IoT Defense, a Virginia cybersecurity startup.

With many consumers likely unable to do this on their own, the only other recourse to fix the present environment is to do massive device recalls, so manufacturers can update the products and ship it back, says Mr. Roy. 

The bigger focus though is on trying to prevent the problem from getting worse by building more resilience into IoT products and the infrastructure running them.

One proposal is to get IoT device-makers to include an automatic software update capability so their products can autonomously check for security updates and install them in much the same fashion that Windows and Mac systems have been doing for years.

Other suggestions include having unique passwords for each device and strengthening the manner in which IoT devices identify and authenticate themselves on the internet so it becomes harder to break into them.

There's almost universal consensus though that little will change unless manufacturers have an incentive to do it. Adding new security controls to IoT devices will likely make them costlier, so few are going to want to implement them unless everyone else does.

"Ultimately they won't care until it's financially beneficial for them to do so," says Lancen LaChance, vice president of product management at GlobalSign, a firm that provides internet authentication technologies.

The incentive might have to come from legislation that requires and result in fines if the service and devices aren’t secured. It may come as a result of financial damage caused by a successful attack or from consumers who vote with their dollars and buy products that are more secure or certified with some sort of industry standard.

"Ultimately, I don’t think that the question is if these scenarios will come to fruition," Mr. LaChance says. "It will be more of a question as to how soon these scenarios will come."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.