Better IoT Security Depends on Changes in Culture, habits

By : Krishna Anindyo | Wednesday, March 04 2020 - 16:57 IWST

Synopsys, Inc. (Images by PR Newswire)
Synopsys, Inc. (Images by PR Newswire)

INDUSTRY.co.id - Ironically enough, the good news about the atrocious security of Internet of Things (IoT) devices might be that the bad news is getting a higher profile.Stories about security cameras getting hacked, with attackers taunting users or trying to get children to say or do twisted things, aren’t just being covered in security blogs.

Awareness is not expertise, All of this helps with awareness. The word is spreading beyond security conferences to the general public that the IoT, while providing endless entertainment, magical convenience, lifesaving medical support, and more, is also the biggest cyber attack surface in the world.

It is fast becoming what many now call the Internet of Everything IoE. And if consumers become more aware that the dazzling features of those devices come with risks, that is a good thing.

That doesn’t mean the problem is solved, however - not even close. Awareness doesn’t mean expertise. Users might know that compromised smart home devices could allow attackers to unlock their doors or spy on them and their children, but that doesn’t mean they know how to harden the security of those devices or their home networks.

Indeed, it’s a stretch to expect they would. When it comes to cars, all drivers know how to operate the brakes. But that doesn’t mean they have the expertise to analyse whether the brakes are safe when they drive their new car off the lot. They assume as they should, given automotive safety standards that the brakes will work.

Updating firmware, start with the firmware update. While many have heard the term, most don’t understand what firmware is or even if their devices contain it.

“If Janis gets explicit instructions from a manufacturer to update her firmware, because she has registered it, she will do it,” Janesko said.

“But it is highly unlikely she will do it because the FBI says so. They did not provide step-by-step instructions, and each device update process is different.”

And searching online to find instructions on how to update firmware can be “overwhelming,” she said, given that user manuals frequently cover multiple devices. “The instructions may not exactly match the firmware version that is running on the actual device. Hence, it will be intimidating.”

Changing passwords, then there is changing the default password, probably the most practical and feasible recommendation on the list. But even that comes with its own complications. Some devices may not even offer that option.

Beyond that, “users may not be aware how to do this on the device. And aside from reusing their own passwords, how do they select a password that is strong and hasn’t already been reused?” Janesko said.

“Users need a generic way to generate strong passwords for these devices, like using passphrases and/or a generic, cross-platform tool like KeePass. It would also make sense to suggest for them a minimum length for the passwords/passphrases.”

And while multifactor authentication is “much, much more powerful than password protection, there are some barriers,” she said. Among them, “you have to have an additional device. This means Janis would need to go out and buy it or order it online. Unless she is forced to do so, she is not going to do it.”

“We need an agreed-upon path for authentication. It must be easy,” she said.

Creating segregated networks, probably the least feasible recommendation for the average user: Create a guest home network. A bit like expecting car owners to do their own brake jobs.

“Janis will not be able to do this on her own,” Janesko said. “She will have to contract someone to do it.”

Jeff Wilbur, technical director at the Online Trust Alliance OTA, argues that if users work at it, they can become more capable in managing the security of their devices, even if some of the recommendations from the FBI “may be out of the norm for most users, and require some research to perform the first time.”

He said the recommendations are, in general, “practical and straightforward, and in line with those made by us and others.”

Still, as Janesko notes, once people have spent money on a device, struggled through the setup and configuration, downloaded the accompanying app, and configured it, they aren’t likely to follow recommendations they don’t understand.

She and just about everybody else.

Caveat emptor, this, of course, doesn’t mean consumers bear no responsibility. “Buyer beware” has been a principle for centuries. Still, when the risks are largely hidden and the average user doesn’t understand them, it’s easy to focus on what a device will do for you, ignoring what it could allow someone to do to you.

But Wilbur said there is help for those who are willing to look for it. “In the Internet Society’s IoT Trust Framework, we cover many of these issues, including principles such as limiting the number of login tries before locking out attempts for a period of time,” he said.

 

 

News Comment

Today's Industry

Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)

Kamis, 06 Agustus 2020 - 18:15 WIB

Securing More with Less — How to Maximise Security Coverage while Reducing Costs Usings Hacker-Powered Security

Remember those days, pre-pandemic, when you thought your security scope was complex? But now, with employees working from home, new video and collaboration apps being rolled into daily workflows,…

Trisha Paine, Head of Cloud Marketing Programs, at Check Point Software Technologies

Kamis, 06 Agustus 2020 - 17:30 WIB

Striving to Achieve High Fidelity Cloud Security

Several attributes make posture management a particularly challenging component of maintaining cloud security. For starters, you cannot secure or scale a rapidly growing quantity and variety…

Luke Tucker, Senior Director of Community at HackerOne (Photo by Linkedin)

Rabu, 05 Agustus 2020 - 22:00 WIB

Security Engineers by Day, Hackers by Night – An Interview with Two of Singapore’s Top Ethical Hackers

Over the years, the perception of the term “hacker” has changed. Once seen as only criminals, there are now over 800,000 registered security professionals on HackerOne, the world’s trusted…

Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)

Rabu, 05 Agustus 2020 - 21:45 WIB

Developers are Not Security Experts, but They can be with The Right Tools

Software has revolutionised the way in which we work, live and play. This is particularly true in the realm of software security, as development teams are releasing code faster than ever before.

Darrell Adams, Head of Southeast Asia & Oceania, Universal Robots (Photo by LinkedIn)

Rabu, 05 Agustus 2020 - 21:25 WIB

5 Reasons Why You Need Collaborative Automation For Today's World

The benefits of collaborative automation are undisputed – more profitability, productivity, flexibility, higher quality and even more employee satisfaction.