The Institute for Critical Infrastructure Technology, a think tank based in Washington DC, has issued a report calling for IoT device design to be regulated.
In the report, James Scott and Drew Spaniel – two researchers based at the organization – discuss security challenges around the creation of connected technology.
They comment on the fact that while Internet of Things is evolving quickly, the security threats – especially around the way devices are built – are still not understood by the industry.
The pair comment on the fact that the industry is constantly playing into the hands of services such as Shodan, but are neglecting security-by-design.
Many people in the industry are worried that regulation could have a negative impact on Internet of Things manufacturing, although the pair argue that tougher security is needed to protect critical infrastructure.
“National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices, but regulation development faces the challenge of … security-by-design without stifling innovation, and remaining actionable, implementable and binding,” the writers say.
“Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy.
“Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.”
Connected technology manufacturers believe that state meddling would deter production. However, foreign Internet of Things devices are widely seen as a threat to American infrastructure, which is why improved security measures are needed.
The report focuses on the Mirai denial of service (DDoS) attacks, which saw cyber criminals use flawed connected devices to attack critical services. James and Scott point to China.
“Nation-state activity may be the serious long-term threat of IoT malware because nearly every one of the predicted 50 billion IoT devices in active use by 2020 will have been developed and manufactured by enemy nation states,” they say.
Although the researchers take the view that industry-wide regulation is needed, they show some concern to the government’s involvement. In particular, they say back-door entrances for law enforcement would be detrimental because hackers could exploit them.
2016: the year of IoT attacks
Dave Palmer, director of technology at Darktrace, said: “2016 has seen some of the most innovative corporate hacks involving connected things. In the breach of DNS service Dyn in October, malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders.
“But many hacks of IoT this year have gone unreported – they include printers, air conditioning units, video conferencing cameras, and even a coffee machine. These attacks used IoT devices as stepping stones, from which to jump to more interesting areas of the network.
“However, sometimes the target is the device itself. This year, one of the most shocking threats that we saw was when the fingerprint scanner that controlled the entrance to a major manufacturing plant was compromised – attackers were caught in the process of changing biometric data with their own fingerprints, in order to gain physical access.”
For more Internet of Things security news, click here!