A call for consumer education on-device security vulnerabilities in light of the increasing push for IoT security regulation

By Brian Murray

Throughout the past few decades, the Internet of Things and connected devices have become more and more ingrained in our everyday lives at an increasingly rapid pace. Concurrently, these smart devices, which hold massive amounts of our private data, have become synonymous with vulnerability.

While the notion that IoT devices are susceptible to security threats and attacks is nothing new within the cybersecurity industry, government regulation, such as California’s SB-327 which is set to start on January 1, 2020, consumers are starting to take notice.

Yet, after 30+ years of rapid IoT growth, the question remains: Is smart device security regulation too little, too late?

IoT devices have fundamentally shifted the way consumers live, work and play. Consumers of all ages are empowered by the endless possibilities that a simple touch of a button or swipe of their finger can grant them access to. It has created what many believe to be a modern-day Pandora’s Box situation. What has been perceived to be an evolution of technological advancements to streamline everyday activities has opened the flood gates’ personal data to be digitally downloaded by criminals throughout the globe.

At the core of the matter rests the fact that many IoT device vendors had, at best, subpar background in building internet-connected devices. Their expertise was rooted in constructing devices to be functional, not necessarily secure—and hackers took note.

The year-over-year reports show that the number of IoT threats has nearly doubled with weak or default credentials and unpatched vulnerabilities driving the majority of observed threats. What’s more, the American Consumer Institute found that more than 80 percent of the home and office routers were vulnerable to hacking.

This uptick may be the result of more sophisticated hackers. It could also be consumers’ lack of ability to make security assessments on their own when purchasing devices, leading to a greater proliferation of insuring routers and digital recording devices. Some believe the rise in IoT attacks are the result of undocumented standards for common security issues to serve as a guiding principle for manufacturers lacking the capital funding such as Google and Amazon, who have been able to advance their smart home devices as a result.

Regardless of the reason, change is on the horizon.

Regulation: Hindsight in 2020

At the start of the new year, the state of California’s SB-327 Information privacy: connected devices went into effect with the intent to eliminate a common security vulnerability among IoT devices. Under this law, each device manufactured in the state must be equipped with a unique password.

History has shown that many IoT threats—most notably, those born from the Mirai malware’s leaked source code—target default and known passwords. While the effectiveness of SB-327 is not yet known, it has been championed as a solution for this decade’s old headache of leveraging default or weak credentials.

However, it has also created further confusion among cybersecurity experts and manufacturers alike with its vague language of “reasonable security features” for “any device, or other physical objects that’s capable of connecting to the internet, directly or indirectly.” The ambiguity of the law leaves room for interpretation that can vary from entity-to-entity and can make enforcing this law a challenge across the board. It can also make compliance a moving target for manufacturers saddled with navigating the implementation and adoption of the law.

The true impact of SB-327 is bound to take time and its success hinges on deep collaboration and open communication across all parties. The hope is that in hindsight, 2020 will prove to be a teaching milestone for how to better equip consumers with the knowledge to secure their data on all IoT devices.

Smart Education

It has been said that great power can come from simply being more informed. Cybersecurity professionals have a duty to the consumer to keep them informed and educated to make intelligent decisions about their smart devices used in their homes and offices.

For example, routers pose a significant threat to consumers and should be an IoT device that is heavily researched prior to purchasing. The router is the gatekeeper for all information, including passwords, emails and credit card information, coming in and out of your home or business. As such, it is critical consumers understand ways to safeguard their routers, including updating the firmware and turning on automatic updates.

More so than legislation regulating manufacturers, IoT device vendors and cybersecurity exerts should plan to place a greater emphasis on arming consumers with a portal of information that not only makes understanding IoT security easy but makes implementing security procedures seamless.

For years, IoT devices were left hanging in the balance open to ongoing threats and attacks before talks of standardized processes and procedures were ever broached. As the line between IoT devices and devices used to get online increasingly blur together, educating consumers on securing IoT devices is not just a nice to have piece of information, it is a need to know piece of information, and it is up to cybersecurity industry leaders, experts, and professionals to help guide the way.

About the Author

Brian Murray is Leader North America Operator Business for F-Secure, a global cybersecurity firm driving innovations in the industry with experience in endpoint protection as well as detection and response. Brian can be reached at brian.murray@f-secure.com.