How to make home IoT more secure: Assume the worst
- 23 November, 2016 12:39
Sometimes the truth hurts but you just have to face it. The internet advisory group BITAG lays it on the line for the IoT industry in a new report: No, consumers aren’t going to update the software on their devices.
“It is safe to assume that most end users will never take action on their own to update software,” the Broadband Internet Technology Advisory Group said. Its recommendation: Build in mechanisms for automatic, secure updates.
That bit of human nature is just one of the harsh realities BITAG acknowledges in the report, which came out on Tuesday. It also points out that some consumer IoT devices ship with weak built-in usernames and passwords like “admin” and “password,” can’t do authentication or encryption, or can easily be taken over by malware that turns them into bots.
The latter fact became glaringly obvious earlier this year when Mirai botnets wreaked havoc with the internet thanks to vulnerable security cameras and other devices. But BITAG was on the case months before that, launching the research for Tuesday’s report in June.
BITAG has several pieces of advice for vendors of home IoT software and hardware. Given that the organization includes representatives from companies such as Cisco Systems, Google, AT&T and Comcast, those tips might find their way into future products and services.
The most basic one is that IoT vendors should assume that, eventually, whatever they build will have bugs and vulnerabilities. That’s why they need automatic over-the-air update tools that don’t force users to do anything -- even to opt in, BITAG said.
The report called on device makers to follow a list of best practices for security, including authenticating all communications, encrypting data stored on the device and providing a way to revoke certificates when they’ve been compromised.
By default, IoT devices shouldn’t be reachable through inbound network connections, even from devices in the same house, because those might have been compromised, BITAG said. It won't be enough to rely on a firewall to block unsafe communications.
The report also recommended IoT devices use IPv6, the latest version of Internet Protocol. It allows for end-to-end connections between devices over the internet and has some security features that the older IPv4 doesn’t. Other experts have said IPv6 will be necessary just to supply unique IP addresses for all the billions of anticipated IoT devices. However, implementing the new protocol in networks can be a difficult process that’s not without hazards.
Other BITAG recommendations don’t address security directly but touch on headaches some consumers have had with home IoT. The report calls on manufacturers to make devices that can work offline, since errors and certain kinds of attacks can kick a home off the internet. They should also be able to work if the accompanying cloud service fails.
Also, the group called on vendors to tell consumers how long they’ll support the products they’re selling, including whether they may disable features in the future. Nest’s deactivation of Revolv smart-home hubs earlier this year caused a stir among some consumers who had paid US$299 for the devices before Nest acquired Revolv in 2014.
Will there be a way to quickly tell whether a home IoT device is secure? Maybe. BITAG suggested the industry create a logo or notation for products that comply with a set of best practices, to save consumers from having to pore over specs to find out what each device has. But it didn't create the program itself.