Vulnerable connected devices a matter of 'homeland security'

Top government officials such as Homeland Security chief Jeh Johnson are urging device makers to secure everyday objects that connect to the internet.

After recent internet attacks have thrown rampant insecurities of internet-connected cameras, video recorders, and other gadgets into sharp relief, Washington lawmakers and officials are urging tech firms and electronics companies to do more to secure the so-called Internet of Things.

In perhaps the biggest internet assault of its kind last month, malicious attackers used specialized software to direct bogus web traffic from millions of ordinary consumer electronics at a key piece of internet infrastructure, crippling websites such as Amazon and The New York Times.

It was the first cyberattack to really demonstrate how an absence of security controls in the millions of everyday products linked to the web poses a threat to the entire internet. With analyst firms such as Gartner predicting more than 20 billion objects will be connected to the internet over the next few years, concerns are mounting quickly.

At a House Energy and Commerce subcommittee hearing this week, worried lawmakers said the attacks raised national security concerns and raised questions about the need for government intervention.

"The knee-jerk reaction might be to regulate the Internet of Things," said Rep. Greg Walden (R) of Oregon. "While I'm not taking a certain level of regulation off the table the question is whether we need a more holistic approach."

In separate but related announcements, the Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST) this week published independent sets of security recommendations for Internet of Things, or IoT, developers, manufacturers, service providers and business level consumers. 

The recommendations ranged from high-level advice on the need for manufacturers to bake in security at the product design phase to detailed technical measures for determining the trustworthiness of devices connected to the Internet.

"The growing dependency on network-connected technologies is outpacing the means to secure them," warned DHS Secretary Jeh Johnson in releasing the guidance. Everything from self-driving cars to the systems that control delivery of water and power to homes are internet connected. "Securing the Internet of Things has become a matter of homeland security."

Changes are happening in industry as well. Brian Scriber, security ambassador for the Open Connectivity Foundation (OCF), an organization trying to develop a communication standard for IoT devices, says manufacturers are taking multiple measures to mitigate risks.

OCF member companies have begun considering an array of questions like whether support and maintenance portals are available for their products, whether passwords are unique to each device and how easily accessible they are to others, over the web.

Tech companies have also begun scrutinizing issues such as how devices are authenticated and authorized on a network so they can be strengthened, says Mr. Scriber. OCF members include several technology giants like Microsoft, Cisco, GE, LG, and Sony. "Over the long term, standards around security practices best help protect consumers," he says.

The efforts represent the first, if somewhat tentative, efforts to address a problem that security experts have been warning about a long time but had not expected would happen so soon. Few, though, are holding out hope for any quick change.

"In the short term, consumers are pretty much up a creek without a paddle," says Kevin Fu, associate professor in the electrical engineering and computer science department at the University of Michigan. 

"In the long term, it's going to take sustained support from government, industry, and universities to get security built into the billions of emerging IoT devices," says Dr. Fu, who was an expert witness at the House hearing this week. 

IoT security has become a major issue following an October attack on Dyn, a provider of critical internet infrastructure services to several major web companies. 

Attackers overwhelmed Dyn's infrastructure with a distributed denial of service, or DDoS, attack. The attack was carried out via Mirai, a zombie network made up hundreds of thousands of malware-infected network connected "things" such as digital video recorders and home internet routers. The Mirai attack on Dyn had a ripple effect across the internet, crippling sites such as Amazon, Spotify and Netflix. 

The question now is how quickly and to what extent the problem can be addressed.

There's little, for instance, that can be done to secure the millions of vulnerable IoT devices that are already installed in homes and offices around the world, or for that matter are part of the Mirai network. 

Most of these products are hard to retrofit and many are not designed to automatically receive security updates and patches over the web. Even if the devices can be updated, there are few standard mechanisms for discovering them or for notifying consumers about the patches, where to find them and how to apply them.

"Today for most IoT devices, including home routers, the onus is up to the user to check for new firmware, download the firmware, log into the device and apply the firmware just to get rid of known vulnerabilities," says T. Roy, chief executive officer of IoT Defense, a Virginia cybersecurity startup.

With many consumers likely unable to do this on their own, the only other recourse to fix the present environment is to do massive device recalls, so manufacturers can update the products and ship it back, says Mr. Roy. 

The bigger focus though is on trying to prevent the problem from getting worse by building more resilience into IoT products and the infrastructure running them.

One proposal is to get IoT device-makers to include an automatic software update capability so their products can autonomously check for security updates and install them in much the same fashion that Windows and Mac systems have been doing for years.

Other suggestions include having unique passwords for each device and strengthening the manner in which IoT devices identify and authenticate themselves on the internet so it becomes harder to break into them.

There's almost universal consensus though that little will change unless manufacturers have an incentive to do it. Adding new security controls to IoT devices will likely make them costlier, so few are going to want to implement them unless everyone else does.

"Ultimately they won't care until it's financially beneficial for them to do so," says Lancen LaChance, vice president of product management at GlobalSign, a firm that provides internet authentication technologies.

The incentive might have to come from legislation that requires and result in fines if the service and devices aren’t secured. It may come as a result of financial damage caused by a successful attack or from consumers who vote with their dollars and buy products that are more secure or certified with some sort of industry standard.

"Ultimately, I don’t think that the question is if these scenarios will come to fruition," Mr. LaChance says. "It will be more of a question as to how soon these scenarios will come."