Better IoT Security Depends on Changes in Culture, habits
By : Krishna Anindyo | Wednesday, March 04 2020 - 16:57 IWST
Synopsys, Inc. (Images by PR Newswire)
INDUSTRY.co.id - Ironically enough, the good news about the atrocious security of Internet of Things (IoT) devices might be that the bad news is getting a higher profile.Stories about security cameras getting hacked, with attackers taunting users or trying to get children to say or do twisted things, aren’t just being covered in security blogs.
Awareness is not expertise, All of this helps with awareness. The word is spreading beyond security conferences to the general public that the IoT, while providing endless entertainment, magical convenience, lifesaving medical support, and more, is also the biggest cyber attack surface in the world.
It is fast becoming what many now call the Internet of Everything IoE. And if consumers become more aware that the dazzling features of those devices come with risks, that is a good thing.
That doesn’t mean the problem is solved, however - not even close. Awareness doesn’t mean expertise. Users might know that compromised smart home devices could allow attackers to unlock their doors or spy on them and their children, but that doesn’t mean they know how to harden the security of those devices or their home networks.
Indeed, it’s a stretch to expect they would. When it comes to cars, all drivers know how to operate the brakes. But that doesn’t mean they have the expertise to analyse whether the brakes are safe when they drive their new car off the lot. They assume as they should, given automotive safety standards that the brakes will work.
Updating firmware, start with the firmware update. While many have heard the term, most don’t understand what firmware is or even if their devices contain it.
“If Janis gets explicit instructions from a manufacturer to update her firmware, because she has registered it, she will do it,” Janesko said.
“But it is highly unlikely she will do it because the FBI says so. They did not provide step-by-step instructions, and each device update process is different.”
And searching online to find instructions on how to update firmware can be “overwhelming,” she said, given that user manuals frequently cover multiple devices. “The instructions may not exactly match the firmware version that is running on the actual device. Hence, it will be intimidating.”
Changing passwords, then there is changing the default password, probably the most practical and feasible recommendation on the list. But even that comes with its own complications. Some devices may not even offer that option.
Beyond that, “users may not be aware how to do this on the device. And aside from reusing their own passwords, how do they select a password that is strong and hasn’t already been reused?” Janesko said.
“Users need a generic way to generate strong passwords for these devices, like using passphrases and/or a generic, cross-platform tool like KeePass. It would also make sense to suggest for them a minimum length for the passwords/passphrases.”
And while multifactor authentication is “much, much more powerful than password protection, there are some barriers,” she said. Among them, “you have to have an additional device. This means Janis would need to go out and buy it or order it online. Unless she is forced to do so, she is not going to do it.”
“We need an agreed-upon path for authentication. It must be easy,” she said.
Creating segregated networks, probably the least feasible recommendation for the average user: Create a guest home network. A bit like expecting car owners to do their own brake jobs.
“Janis will not be able to do this on her own,” Janesko said. “She will have to contract someone to do it.”
Jeff Wilbur, technical director at the Online Trust Alliance OTA, argues that if users work at it, they can become more capable in managing the security of their devices, even if some of the recommendations from the FBI “may be out of the norm for most users, and require some research to perform the first time.”
He said the recommendations are, in general, “practical and straightforward, and in line with those made by us and others.”
Still, as Janesko notes, once people have spent money on a device, struggled through the setup and configuration, downloaded the accompanying app, and configured it, they aren’t likely to follow recommendations they don’t understand.
She and just about everybody else.
Caveat emptor, this, of course, doesn’t mean consumers bear no responsibility. “Buyer beware” has been a principle for centuries. Still, when the risks are largely hidden and the average user doesn’t understand them, it’s easy to focus on what a device will do for you, ignoring what it could allow someone to do to you.
But Wilbur said there is help for those who are willing to look for it. “In the Internet Society’s IoT Trust Framework, we cover many of these issues, including principles such as limiting the number of login tries before locking out attempts for a period of time,” he said.