The internet of things is a wonderful development of this technologically-oriented time we live in, at least on paper. You can unlock your home with your phone, turn off the oven while out and about, ask your TV to play Simpsons episodes, and even control the light and heat inside your home via a voice-controlled hub like Google Home or Amazon Echo. The problem is that most of the smaller, less smart IoT devices out there aren’t properly secured. It may not sound important to make sure nobody can hack into your lightbulb or your smart bathtub, but the issue lies in using those devices to get into networks, or using them as a botnet.
An attacker can’t thwart your high end gaming PC’s firewall, but if they manage to get into the home heating system that you use that PC to control, you could be suffering low framerates and higher electric bills while that attacker rakes in bitcoin at your GPU’s expense. Likewise, your IoT devices could become unresponsive or go on the fritz for seemingly no reason, but the real reason is that they’re sending massive amounts of ping requests using what little smarts they have, at a clever hacker’s behest. Even worse, there are some Bluetooth and NFC enabled smart locks that are either physically insecure, literally broadcast the password to get into your home in plain English, or even both. These are only a few of the possible security risks that adopters of IoT technology face at the moment. Some in the industry have already stepped up to help stop this trend, but according to the Broadband Internet Technical Advisory Group, there’s more that can be done.
The Broadband Internet Technical Advisory Group, or BITAG for short, is a loosely-knit nonprofit association of some of the biggest names in tech who are uniting under a common goal; the betterment of internet-related technology. Part of that, of course, is security, and the world of IoT is incredibly insecure at the moment. Some devices would benefit from updates, while others will be easier to replace entirely. Luckily, for the future, BITAG has a few suggestions and best practices that manufacturers could follow to help ensure their products are up to snuff.
The biggest thing is for devices to ship with current software that any known exploits and bugs patched out. A large number of IoT devices run proprietary software with a Unix-based core, and these can be attacked with almost any Unix or Linux bug, so manufacturers need to be on the ball with shipping up to date, patched up software for these devices. Even devices with very minimal software, since they connect to a network by definition, need to have no security holes. This is step one. Powerful authentication technology that locks a device up tight to the devices in the network around it should be on board, as should a mechanism to automatically and quickly update devices. Finally, devices should be tested for security before release in the same way hackers would test them; by trying to break into them.
BITAG also outlines a few best practices when it comes to hardware, backend, and encryption. According to BITAG, all IoT devices should be restrictive in their communications, should encrypt any and all local storage and network communications end to end, should use the latest network addressing and naming technologies and practices, and should function manually even if the internet connection or the device’s phone-home backend should fail. For example, a smart TV should still be usable as a regular TV if the internet fails, and a light switch should be manually operable. BITAG also recommends an easy to find privacy policy, as well as a disclosure of the manufacturer’s rights to mess with device functionality, such as disabling IoT devices when they become obsolete or can no longer be supported. An easy way for customers to contact the manufacturer should exist, as should bug reporting systems, a way to reset devices, and transparency in reporting of vulnerabilities and fixes. All of these recommended best practices, if implemented, will bring security up to snuff with most internet-connected devices, but consumers should never forget that there is no such thing as a perfectly secured device.