While IoT keeps climbing the popularity charts, the other thing which is growing at almost twice the pace along with it is the security concern associated with it.

Nowadays, personal computers are no more the only devices connected to the internet. A variety of devices embedded with Internet connectivity and functions have also joined the party. This very class of devices, famously known as the Internet of Things or IoT, and has ended up giving birth to a new level of security and privacy risks.

In order to curb these, the Broadband Internet Technical Advisory Group or the BITAG- an alliance formed by world technology giants Microsoft, Google, Verizon, Intel and a number of other players in the tech industry- has laid out a set of guidelines so as to improve the security on Internet of Things devices.

Formed in the year 2010 to produce best practices for broadband security, the BITAG published its recommendations for IoT manufacturers in a report titled Internet of Things (IoT) Security and Privacy Recommendations. The Report explores in detail the technical aspects of the security and privacy of networked consumer devices.

In the 8-pages long document, the BITAG mentions that “the nature of consumer IoT is unique because it can involve non-technical or uninterested consumers; challenging device discovery and inventory on consumer home networks.” It further added that IoT devices can be hijacked to create “Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorized access or control, induce device or system failures, and disturb or harass authorized users or device owners.”

This is exactly what happened in the case of Mirai, the malware that is responsible for causing one of the worst denial of service cyberattacks that the world had experienced in the last few years. Recently the malware had spread and infected internet-connected devices in over 177 countries all around the world.

In October, Mirai caused massive outrage when it targeted Dyn, a major name in the domain name service (DNS) provider sector. The case saw Internet of Things being put to use to break the internet.

In order to avoid such cases in the future, the Broadband Internet Technical Advisory Group made a number of recommendations for the manufacturers:

1) IoT Devices should make use of the best current software practices. This should include a strong mechanism for secure, automated software updates.

2) IoT Devices should use strong authentication by default and not use common or easily guessable user names and passwords (e.g., “admin”, “password”).

3) IoT Devices manufacturers should follow best security and Cryptography practices by securing communications using Transport Layer Security (TLS) or Lightweight Cryptography (LWC). If devices rely on a public key infrastructure (PKI), then an authorized entity must be able to revoke certificates when they become compromised, and manufacturers should take care to avoid encryption methods, protocols, and key sizes with known weaknesses.

4) IoT Devices should be restrictive rather than permissive in communication.

5) IoT Devices should continue to function even if the internet connectivity is disrupted.

6) IoT Devices should continue to function even if the cloud back-end fails

7) IoT Devices should ship with a privacy policy that is easy to find and understand.

BITAG is a non-profit, multi-stakeholder organization that is focused on bringing together engineers and technologists in a Technical Working Group (TWG) to develop consensus on broadband network management practices and other related technical issues that can affect users’ Internet experience, including the impact to and from applications, content and devices that utilize the Internet.

The report has also recommended that IoT devices manufacture should make sure that the devices are not reachable via inbound connections by default. Since BITAG is just an advisory group, it can’t legally enforce any of its recommendations on IoT device manufacturers, but can only give them crucial points to think on and act.

The lead editors of the report were Jason Livingood, Vice President - Technology Policy & Standards at Comcast and Nick Feamster, Professor of Computer Science at Princeton University. Douglas Sicker, Executive Director of BITAG, Chair of BITAG’s Technical Working Group, Department Head of Engineering and Public Policy and a professor of Computer Science at Carnegie Mellon University, chaired the review itself.

[Top Image: logicworks.net]

Post a Comment

Previous Post Next Post