The FTC released a staff report in late January that took a comprehensive look at the emerging “Internet of Things” and security, including secure APIs, authentication, and product updates, was a key theme.
I’d like to briefly explain why I believe IoT security is so important and why the IoT ecosystem presents a unique set of factors that give rise for special attention to security.
As discussed in the report, IoT devices come in a variety of forms and shapes, but they have a handful of similar attributes that make security an even greater challenge:
- While the functionality of IoT devices varies greatly, nearly all are powered by small, multipurpose computers (typically Unix-based) that can be reprogrammed to perform a variety of functions that go beyond the device’s original intended purpose.
- Many home and personal IoT devices available today have limited (or no) interfaces by which an individual can monitor device status or receive alerts in the event of surprising network activity and intrusion.
- In addition to the operating system, the same embedded chips and drivers underlie many different IoT products made by multiple different IoT manufacturers, meaning a vulnerability found on one device can often be exploited across a larger class of devices.
- Growth and diversity in IoT hardware also means that many devices introduced in the IoT market will be manufactured by new entrants that have very little prior experience in software development and security.
- Market dynamics underlying IoT is quite different from those found in the PC or Smartphone market. While IoT encompasses big and expensive devices like cars and smart televisions, there are also a large number of small and extremely low cost light bulbs, blankets, webcams, and routers – which might not receive the same level of warranty and support. Manufacturers may not be as incentivized to fix or patch vulnerability on a $30 webcam that they would on a $500 smartphone or $1000 laptop.
This combination of factors could give rise to a highly exploitable environment, putting individuals, and the internet as a whole, at risk.
The issue of support and patching is already rife in the smartphone market. For example, the open-source operating system originally developed by Google also powers many non-Google smartphones. When a consumer buys a branded phone from a carrier, the manufacturer customizes the core operating system for their needs. This OEM operating system will vary slightly from Google’s original operating system and any updates or security fixes released for the original OS may not immediately be applied to the OEM version without additional time or effort. As such, many phones available in stores today aren’t able to run the latest version of the operating system.
This fragmentation in the market has reportedly resulted in some 60 percent of phones vulnerable to a security bug affecting Android smartphone users that, due to supply chain issues, will likely never see a patch. This includes brand new phones available for purchase at a store today. BusyBox and Contiki, the open-source operating systems modified to power many of the IoT devices in use today, run similar risks of fragmentation.
Recently, researchers identified a critical vulnerability that affects some 12 million consumer routers currently on the Internet. The vulnerability is unique in that it affects the underlying embedded chipset and driver that powers some 200 different model routers from 50 manufacturers. The original chip manufacturer (AllegroSoft) patched the bug in 2005 but given the supply chain logistics, many router manufactures have not provided updates for the devices currently in the wild (meaning many are still vulnerable with no workaround). In the researchers’ demonstration, a brand new shrinkwrapped router was immediately vulnerable out of the box.
If consumers are already exposed to security updates and end-of-life issues in more mature markets for routers and smartphones, one has to wonder what the security implication will be like of this new and rapidly emerging market of IoT.
For example, a refrigerator was once just a refrigerator with one purpose: cooling food. Now that we live in an IoT world, embedded inside that refrigerator is a full-fledged network computer which could potentially be exploited to launch a DDOS attack against the consumer (or some external) network. As the technology behind the household items we buy evolves, so must the way we think about the long-term effect to consumers when they purchase them:
What will be the level of security and support while under warranty? If a critical vulnerability is discovered, will an update be provided? What happens after the warranty expires? Should modern refrigerators have a shelf-life, much like the food contained within?
These questions will need to be addressed if we want IoT to succeed.
The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.