Following last month’s DDoS attack on Dyn, the overall awareness of the critical need for IoT security has increased dramatically. In mid-November, the Congress Committee on Energy and Commerce held a hearing to understand the role of connected devices in recent attacks and discuss the need for government intervention.
In a separate, but related announcement, the Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST), both published strategic security principals for IoT developers, manufacturers, service providers and business level consumers. This move has the best intentions, but it is hard to know what will incentivize IoT device manufacturers to implement the suggestions put forth, whether it is legislation, push back from consumers or more attacks.
In this month’s IoT News Wrap-Up, we cover these two stories and more from the past month, below.
Congress Meets to Understand the Role of Connected Devices in Recent Cyber Attacks
An Energy and Commerce subcommittee hearing included testimony, as well as submitted prepared remarks from Dale Drew, CSO and senior vice president of Level 3 Communications; crypto and privacy guru Bruce Schneier; and Dr. Kevin Fu. There is an overwhelming potential of IoT DDoS attacks with the predicted onslaught of connected devices and if nothing changes, such as with default passwords, there is not telling what DDoS attacks will be capable of taking down.
Lawmakers Urge Technology Firms and Electronic Companies to Do More to Secure the Internet of Things
The Department of Homeland Security (DHS) and the National Institutes of Standards and Technology (NIST) this week published independent sets of security recommendations for Internet of Things. The recommendations ranged from high-level advice on the need for manufacturers to bake in security at the product design phase to detailed technical measures for determining the trustworthiness of devices connected to the Internet.
Little will likely change unless manufacturers have an incentive to do so. Adding new security controls to IoT devices will likely make them costlier, so few are going to want to implement them unless everyone else does.
MORE IoT Recommendations, This Time from Tech Giants Like Google, Intel, Microsoft, Verizon and a Handful of Others
The Broadband Internet Technical Advisory Group (BITAG), made up of the above companies, formed six years ago to set best practices for broadband management and security. A few weeks ago, BITAG laid out its recommendations for the Internet of Things.
As part of the recommendations, BITAG suggest security standards for IoT devices, including software updates, password protection and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG would like to establish an industry cybersecurity program that includes a seal for certified "secure" devices.
One Minute and a Half! This Is the Time It Took for a Connected Security Camera to Be Infected with Malware
Rob Graham, CEO of Errata Security tweet-documented his experience of his $55 IoT security camera being infected with malware in record time.
If you find any of these topics interesting, we would love to discuss them with you on Twitter. Share your thoughts with us using the hashtag #IoTNewsWrap.