Smart Devices a 'Major Threat' when it comes to Cyber Warfare

John Lister's picture

A Harvard lecturer has warned Congress that only government regulations can prevent serious consequences from security attacks on the "Internet of Things." Bruce Schneier says there's little market incentive for buyers or sellers to fix a problem, should a problem arise.

The Internet of Things (IoT) refers to the growing number of devices that can now be connected to the Internet, making them "smart devices". Rather than just computers and phones, the Internet of Things covers everything from thermostats to cars, often with the Internet connection allowing users remote access to change settings.

Most of the security stories around the Internet of Things have centered on the possibilities of attackers remotely accessing or controlling such devices, causing mischief or worse. However, last month hackers were able to take advantage of unsecured devices and turn them into a distributed denial of service (DDoS) attack, which then brought down several major websites.

Internet of Things Makes for Cheap and Easy Attacks

Such an attack normally involves getting a network of infected computers to flood a site with bogus requests for data until it simply can't cope with the flood, and therefore legitimate traffic is blocked. Being able to incorporate other devices (such as a smart refrigerator) for such a tactic is particularly valuable, because denial of service attacks are as much about the sheer quantity of devices making the bogus requests as they are the individual computing power of the devices.

Schneier told two Congressional subcommittees that the nature of the smart device market means its unlikely people will improve security on their own. He notes that most of the devices are produced cheaply and with low profit margins (with a large volume of sales turning profits), and thus manufacturers are wary of spending too much on bossing security on these devices.

Meanwhile buyers often don't know when their devices are compromised and have no easy way to patch the device. Schneier also noted that because household devices tend to be used for much longer before being replaced than phones and tablets are, the chances are that they'll stay compromised for much longer.

Politicians Uneasy About Controls

Politicians however were wary about the suggestion, with one calling it a "knee-jerk reaction." They also questioned how much difference regulations could make given that so many devices are manufactured outside of the US. (Source: computerworld.com)

The discussion follows on from both the Department of Homeland Security and the National Institute of Standards and Technology publishing suggestions on how smart devices could be better secured. (Source: thehill.com)

What's Your Opinion?

Do smart devices need better security? If so, is government regulation the way to go? Is there any point trying to regulate devices when foreign-made ones would likely be exempt?

Rate this article: 
Average: 4.3 (4 votes)

Comments

Dennis Faas's picture

This is all very fascinating, considering the implications. The arguments on both sides are indeed valid. Congress will have a very hard time forcing manufacturers overseas to "be responsible" about their devices, and yet turning a blind eye surely won't be enough. I think perhaps a better solution would be to build smarter routers on the Internet that are able to sniff such an attack and prevent further traffic from getting through - an effective kill switch for any smart device gone rogue. That would be pretty tough to do though, considering a denial of service attack can come from literally anywhere and look like legitimate traffic.

guitardogg's picture

Something needs to be done! I prefer a technical solution, as regulatory solutions are often ineffective and bogged down in government red tape. Easier said than done I'm afraid. While DOS attacks are an issue, there are other potential problems with smart devices. In the medical field they are developing smart devices like pace makers and insulin pumps that can be accessed by medical professionals for monitoring and adjustments. Hack into one of these, and you could potentially kill someone. One early piece of PC malware would cause the read/write heads to overwork and burn out the hard drive. Similar types of attacks could cause a smart device to fail, or maybe even catch fire, who knows?

dan400man's picture

As mentioned in the article, U.S. regulations would have no effect on devices made and used outside of the U.S., and while I respect and acknowledge Bruce Schneier as a top authority on security, I have to wonder how he thinks U.S. regulations would help.

matt_2058's picture

It would be easy to implement a regulation fix. It would be an import requirement or import regulation assessed on the goods. If it doesn't meet the standard, it can't come in. That doesn't mean I believe it's the best fix, but it's a step and a good place to start and can catch a wide range of devices.

If it's impossible to put a restriction on nilly-willy IoT devices made overseas, how about letting the FCC put a general rule on the stuff, like update-able software/firmware or a lockdown/lockout. Then, as a secondary, have the routers incorporate something like mentioned above.

Anyways, if somebody imposes a requirement to meet then that's the minimum standard.

DaLincerGuy's picture

My thought... Place any IoT items in sandboxed area of my home network.

Any item connecting to the router has to have specific approval to connect outside the network to a "short list" of approved outside places. An IoT item does not, in my opinion, need un-fettered access to the whole internet, just a few places.

Then, outside access through the router from a smartphone, needs a VPN style secured link between my phone and the router. At home, I pair my phone and my router, and I can then reach in and see my IoT devices. Without the secured phone, you cannot reach in through my router.

That way, I can have my IoT devices be much less security concious.... any comments?

David

matt_2058's picture

I'm definitely not an expert, but it sounds good. I'm still reading and trying to learn how to do that with the non-IoT things I have now.

I think I need to know a little more before I start monkey-ing with the router and possibly mess things up. I want to restrict access to my NAS beyond the NAS settings. I saw some options of limiting IP address and MAC address in the NAS setup. MAC address I can implement now, but not IP. I need my parents' IPs since that is the most probable place I'd access it from.