Another senior tech industry official has joined the call for government regulation of Internet of Things devices.
The call came last week from BlackBerry CSO Alex Manea at the second annual Urban Security and Resilience Conference in Toronto.
”I think there needs to be better government regulations around IoT,” Manea said during a keynote speech.
“So one of the things I would like to see from an IoT regulatory standpoint is have a set of regulations that every device that connects to Internet has support, accepts and can load software updates. Because the reality is every piece of software is going to have vulnerabilities.”
“What worries me in my mind is IoT fundamentally changes the threat model in terms of security.” While hacking a desktop computer or a smart phone is unlikely to threaten a person’s safety, manipulating an IoT device remotely could be a safety issue.
Researchers have already shown improperly secured vehicles can be hacked, he pointed out. He also noted the huge Murai botnet was assembled from unsecured IoT devices such as home routers and video surveillance cameras to launch massive distributed denial of service attacks.
BlackBerry researchers have shown a poorly-configured Internet-connected kettle linked to a corporate WiFi network could be hacked and access gained to unencrypted internal business traffic.
Manea joins a number of other tech leaders who are calling for government regulation of IoT devices for security, including privacy specialist and author Bruce Schneier, who at last fall’s SecTor conference noted governments already regulate the auto sector, aircraft manufacturing and health care sectors for safety. However, he said only “when the Internet actually starts killing people there will be a call for action.”
At the 2017 RSA Conference a panel of experts agreed governments have an obligation to quickly improve the cyber safety of the millions of industrial and consumer IoT devices being sold, although they differed on how to do it.
In the absence of regulations the Online Trust Alliance, now part of the Internet Society, has published an IoT Trust Framework for manufacturers to voluntarily follow.
Manea isn’t worried about what he called “high-level” IoT devices whose manufacturers are aware of the potential issues of Internet-connected products that can’t receive security patches or use hard-coded passwords. Instead, he’s concerned about companies on tight budgets and margins making products as inexpensively as possible. For these manufacturers adding security is not seen as important. And, he added, they don’t have security expertise.
The problem is already hitting enterprises. In a survey of 137 company officials released earlier this year Truswave said nearly three in five attributed some type of security incident, including attacks, to their use of IoT devices.
In an interview, Manea acknowledged that most governments are going to have to co-operate with each other to set such a regulatory standard, otherwise it won’t be effective. But it is vital.
“I would love to see governments starting to put forth a security framework for IoT, and really starting to look at things like, for instance, mandating the fact that IoT devices should be able to support secure software updates from the Internet and establish their source. Another big one is a lot of IoT devices have default passwords. I would love to see governments encourage people to move away from these default passwords and having users either use their own passwords or having manufacturers set passwords ahead of time.
“There’s many other security best practices that I think would be more mandated, things like mutual authentication between all sources, making sure we encrypt all data on devices and encrypt all data in transit as well. There’s a number of different layers of regulation we could have. I would love to see a general framework for IoT security, which doesn’t exist right now in any part of the world.”