National Cyber Security Awareness Month (NCSAM) may be ending soon, but that doesn’t mean you can or should forget about cybersecurity and go back to your daily lives, right? Right. In this post, we’ll be talking about an important cybersecurity problem that has become an issue worldwide: Security (or lack thereof) of IoT devices.
We’ve addressed this issue before but we think it’s worth calling out again because it is so important. Everything from your watch to your fridge can be connected to the internet, which means everything from your watch to your fridge is vulnerable to being exploited by malicious actors. Sure, your fridge may not hold your credit card information (yet), but your devices are just another way for them to gain access to your network or even control them. Perhaps the most popular mischief hackers get into with your IoT devices is controlling them in botnets such as Mirai that take part in DDoS attacks on companies. That’s no good. Think about this also: A weak IoT device connected to a corporate network means an easy access point for hackers/bad actors to gain access to sensitive corporate information.
One major problem with security vulnerabilities in IoT devices is that they simply aren’t that well secured to begin with. Surely no one really thought a fridge that could tell you the weather or put together a shopping list for you posed a great danger, right? Wrong. The root cause of this thinking?
First of all, IoT device manufacturers didn’t really (and still don’t, most security experts would argue) have the knowledge or understanding to secure what they were making, let alone the policies, procedures and staff to do it. No wonder millions of DVR’s, TV’s and fridges were sold with generic default passwords and no instructions or advice on changing them once the devices were activated.
In the end, manufacturer’s are watching their bottom line, and ultimately revenue is heavily influenced by the product’s ease of use–the easier a product is to use, the more likely someone is to buy it. But now that we’ve seen the devastating effects these vulnerable devices can have on our personal and corporate lives, manufacturers and consumers are only just starting to understand the danger they present. The problem now is getting them to act on it.
Luckily, California took action by recently passing a law addressing IoT security vulnerabilities–the first such law in the country. Starting Jan. 1, 2020, any manufacturer of a device that can connect to the internet–whether directly or indirectly, must set it up with “reasonable” security features to help prevent unauthorized access or data loss. If the device can be accessed outside a local network with a password, it must either have a unique password for every device made, or force users to set their own password when first connecting (no more generic “admin” usernames or passwords).
Reaction to the bill from security experts has been mixed. On the one hand, it is hailed as progress towards addressing major security issues in IoT devices. On the other hand, the “reasonable” language of the bill leaves it frustratingly vague and open to too much interpretation. What defines “reasonable”?
Some good news though: Because California is a nice large state, any device makers that sell products there most likely distribute to other states, indirectly extending these new benefits to customers throughout the country. So we’ll all benefit from California’s new law. Hooray!
Security in IoT devices is an ongoing issue, but at long last we’re making progress towards addressing it. Hopefully IoT manufacturers will start reviewing whatever security policies they have and/or implementing better ones.