Better IoT Security Depends on Changes in Culture, habits

By : Krishna Anindyo | Wednesday, March 04 2020 - 16:57 IWST

Synopsys, Inc. (Images by PR Newswire)
Synopsys, Inc. (Images by PR Newswire)

INDUSTRY.co.id - Ironically enough, the good news about the atrocious security of Internet of Things (IoT) devices might be that the bad news is getting a higher profile.Stories about security cameras getting hacked, with attackers taunting users or trying to get children to say or do twisted things, aren’t just being covered in security blogs.

Awareness is not expertise, All of this helps with awareness. The word is spreading beyond security conferences to the general public that the IoT, while providing endless entertainment, magical convenience, lifesaving medical support, and more, is also the biggest cyber attack surface in the world.

It is fast becoming what many now call the Internet of Everything IoE. And if consumers become more aware that the dazzling features of those devices come with risks, that is a good thing.

That doesn’t mean the problem is solved, however - not even close. Awareness doesn’t mean expertise. Users might know that compromised smart home devices could allow attackers to unlock their doors or spy on them and their children, but that doesn’t mean they know how to harden the security of those devices or their home networks.

Indeed, it’s a stretch to expect they would. When it comes to cars, all drivers know how to operate the brakes. But that doesn’t mean they have the expertise to analyse whether the brakes are safe when they drive their new car off the lot. They assume as they should, given automotive safety standards that the brakes will work.

Updating firmware, start with the firmware update. While many have heard the term, most don’t understand what firmware is or even if their devices contain it.

“If Janis gets explicit instructions from a manufacturer to update her firmware, because she has registered it, she will do it,” Janesko said.

“But it is highly unlikely she will do it because the FBI says so. They did not provide step-by-step instructions, and each device update process is different.”

And searching online to find instructions on how to update firmware can be “overwhelming,” she said, given that user manuals frequently cover multiple devices. “The instructions may not exactly match the firmware version that is running on the actual device. Hence, it will be intimidating.”

Changing passwords, then there is changing the default password, probably the most practical and feasible recommendation on the list. But even that comes with its own complications. Some devices may not even offer that option.

Beyond that, “users may not be aware how to do this on the device. And aside from reusing their own passwords, how do they select a password that is strong and hasn’t already been reused?” Janesko said.

“Users need a generic way to generate strong passwords for these devices, like using passphrases and/or a generic, cross-platform tool like KeePass. It would also make sense to suggest for them a minimum length for the passwords/passphrases.”

And while multifactor authentication is “much, much more powerful than password protection, there are some barriers,” she said. Among them, “you have to have an additional device. This means Janis would need to go out and buy it or order it online. Unless she is forced to do so, she is not going to do it.”

“We need an agreed-upon path for authentication. It must be easy,” she said.

Creating segregated networks, probably the least feasible recommendation for the average user: Create a guest home network. A bit like expecting car owners to do their own brake jobs.

“Janis will not be able to do this on her own,” Janesko said. “She will have to contract someone to do it.”

Jeff Wilbur, technical director at the Online Trust Alliance OTA, argues that if users work at it, they can become more capable in managing the security of their devices, even if some of the recommendations from the FBI “may be out of the norm for most users, and require some research to perform the first time.”

He said the recommendations are, in general, “practical and straightforward, and in line with those made by us and others.”

Still, as Janesko notes, once people have spent money on a device, struggled through the setup and configuration, downloaded the accompanying app, and configured it, they aren’t likely to follow recommendations they don’t understand.

She and just about everybody else.

Caveat emptor, this, of course, doesn’t mean consumers bear no responsibility. “Buyer beware” has been a principle for centuries. Still, when the risks are largely hidden and the average user doesn’t understand them, it’s easy to focus on what a device will do for you, ignoring what it could allow someone to do to you.

But Wilbur said there is help for those who are willing to look for it. “In the Internet Society’s IoT Trust Framework, we cover many of these issues, including principles such as limiting the number of login tries before locking out attempts for a period of time,” he said.

 

 

News Comment

Today's Industry

Photo: Aris Nurjani/VOI

Rabu, 28 Februari 2024 - 12:47 WIB

Carsurin and NBRI Strengthen Strategic Alliance to Propel Indonesia’s EV Industry

PT Carsurin Tbk ("Carsurin") and the National Battery Research Institute ("NBRI") are pleased to announce the signing of a pivotal Strategic Alliance Agreement (SAA), marking a significant advancement…

Beras (Foto/Rizki Meirino)

Rabu, 21 Februari 2024 - 08:43 WIB

Gov’t to Continue Disbursing Rice Assistance

President Joko “Jokowi” Widodo has ensured that the Government will continue rolling out the rice assistance program for low-income families. The President made the statement when handing…

Ilustrasi pabrik beras. (Foto: DetikFood)

Rabu, 21 Februari 2024 - 08:40 WIB

Bapanas Head Ensures Availability of Rice Stock Ahead of Ramadan

The National Food Agency (Bapanas) has ensured the availability of rice for the fasting month of Ramadan and Eid al-Fitr 1445 Hijri/2024 CE. “We believe that there is enough rice for the fasting…

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Rabu, 21 Februari 2024 - 08:23 WIB

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Chairman of PT Jababeka Tbk (KIJA), Setyono Djuandi Darmono met the Minister of Youth and Sports of the Republic of Indonesia (Menpora RI) Dito Ariotedjo at the Kemenpora RI Office, Senayan,…

The Indonesian Embassy in Cairo Receives Aid for Palestine

Senin, 19 Februari 2024 - 17:39 WIB

The Indonesian Embassy in Cairo Receives Aid for Palestine

The Indonesian Embassy in Cairo welcomes the Radjiman Wedyodiningrat Warship (RJW-992) which arrived at the Al Arish Port, North Sinai Province of Egypt at 8.00 A.M. Cairo local time (13/02).…