UK Releases Cybersecurity “Code of Practice” for IoT Developers
November 1, 2018 - 8 minutes readThe Internet of Things (IoT) is rapidly growing, but cybersecurity for IoT is becoming a real concern; IoT security is not keeping up with the progress that IoT is making as a whole, and it’s opening a huge gap for attackers to steal information and disrupt global supply chains.
Estimates show there are more than 23 billion IoT-connected devices today. This number is expected to grow to 75 billion by 2025.
To secure all of these devices in a standardized manner, it seems necessary for governments to get involved. Which is exactly what the U.K. is doing; the British government just released a “Code of Practice” to help IoT developers build more secure devices.
Understanding How Hackers Work
Hackers don’t target one device in their attack; the largest impact of a cybersecurity attack is felt when thousands or millions of devices stop working correctly. And whether the hack is physically or remotely initiated brings various challenges.
With physical hacking, the attacker must reverse engineer the hardware to locate insecure lines or ports. Using the unsecured hardware, the attacker can gain entry into the software and gain permission to download username and password combinations, security certificates, and exploit other flaws.
In remote hacking, the perpetrator tries to log in to the device remotely to update the software with a version that has malware allowing access to the device. Brute force attacks involve trying to log into an app or site rapidly, and the result is either overwhelmed servers or a cracked password.
Hackers often take an approach whereby they target a large number of servers or software at once, and recently that means involving Linux as the foundation for an attack. Unfortunately for IoT developers, avoiding working with Linux is next to impossible.
The Weakest Links
Linux is a very popular open-source operating system that can run on small microcontrollers, like those you would find in IoT devices across the world. Most Linux installations come with default username and password combinations, like “admin” and “password”. These are often the first weakness most hackers target.
When you consider that most enterprises are running outdated software and these outdated machines are connected to the same network as IoT devices, there’s immense potential to bring down an entire company with one small weakness.
In the Mirai botnet attack, the virus scanned the Internet for specific IP addresses of known IoT devices. Using telnet, a standard software on many machines running Linux, the virus attempted 60 common username-password combinations. If it worked, the virus installed malware on the IoT device, turning it into a compromised device that appeared to function normally on the front end.
But when the Mirai attack was initiated, it combined the forces of multiple compromised IoT devices to take down startups from San Francisco to London, like GitHub, Airbnb, and many more. This approach results in a “denial of service” (DoS) error message from the web servers, which is where the name DDoS (distributed DoS) attack originates from.
The Mirai attack was possible because IoT cybersecurity constantly gets placed last on the list of priorities for developers. And unfortunately, cybersecurity isn’t like other typical product features; great cybersecurity is invisible, but poor security shows itself over time.
An International Intervention
Governments are understandably concerned about security protocols and software integrity. Locally, authorities dealing with traffic, power, water, and other utilities have switched to remote monitoring and maintenance. This opens up the potential for disturbing the peace on a whole new scale.
And it’s not a theoretical possibility; infrastructure attacks have already happened multiple times in Ukraine and left thousands of citizens without electricity.
Voter registration and ballot casting have become a big point of contention with the American public with Trump’s election victory and mid-term elections coming up. Electronic voting machines may automate a lot of manual work, but they introduce new vulnerabilities that could cause some serious damage.
And smart cities will need especially strong cybersecurity if they’re going to provide public Wi-Fi connection across the entire population. Traffic control cannot get hacked during rush hour; electricity must be managed with backup plans, and water needs to be secured against constantly evolving hacking approaches. IoT sensors must work similarly to blockchains; recording settings on multiple devices can help upkeep security integrity.
Innovation over Vulnerabilities
Governments aren’t talking about cybersecurity seriously enough. It could only take one attack to stop all international communication for a few hours. And this could cause instantaneous widespread panic across the world.
At least the U.K. is stepping up to the plate; its “Code of Practice” helps IoT developers incorporate cybersecurity into the earliest stages of product development. Some suggestions include: removing the default passwords and creating all new unique combinations, using encrypted protocols for messaging, ensuring each IoT device has updated security certificates, prioritizing security-focused hardware over outdated counterparts, and much more.
These guidelines may sound rudimentary. But we know how easy it is to get caught up in development sprints and forget about the nice-to-haves or even need-to-haves in favor of pleasing the client’s immediate needs. So while they may be only guidelines for now, they’re well welcomed.
On the other hand, the U.S. Congress is stepping straight into regulation territory with its proposed Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA) to manage infrastructure oversight.
But some security specialists believe the solution isn’t in regulations or guideline.
Rather, it’s in innovating — slowing it down, that is. Security expert Bruce Schneier believes we need to slow down IoT innovation to let cybersecurity catch up. Otherwise, we may never have good enough cybersecurity across every industry without a mass mandate to update within a certain date range. This would result in the loss of more money and innovation than an initial slow-down of innovation right now, Schneier argues.
Do you think IoT cybersecurity is in dire need of laws and regulations? Or do you agree with Schneier that IoT innovation should slow down a bit to advance IoT security?
Tags: cybersecurity, cybersecurity attacks, hacking into IoT, internet of things app developer, internet of things app developers, internet of things app development, iot, IoT app developer, IoT app developer San Francisco, iot app developers, iot app development, IoT cybersecurity, IoT cybersecurity attacks, mirai botnet, mobile app developer San Francisco, San Francisco IoT app developer, San Francisco mobile app developer, the Internet of Things