Level 3 Communications

Dale Drew

Building Accountability into the Internet of Things

The Internet of Things (IoT) is still emerging, and yet we’ve already seen many related security vulnerabilities and attacks. One of the latest — and most prominent — was a distributed denial-of-service (DDoS) attack launched in October 2016 that temporarily brought down some of the biggest sites on the internet.

The massive attack on Dyn’s DNS service affected users on much of the east coast of the United States; as well as data centers in Texas, Washington and California. Tens of thousands of IP addresses hit Dyn’s infrastructure during the attack, which is thought to have been executed through a botnet consisting of multiple internet-connected devices infected with the Mirai malware.

IoT-related security incidents will certainly increase as more objects are connected via the internet, and as bad actors find ways to exploit the weaknesses in device and network security. Countless numbers of connected devices can be used as launching points for various kinds of attacks.

How can organizations effectively address these security threats and vulnerabilities? One way is through increased accountability. Device manufacturers — and to some extent, the consumers who use them — need to take action to make and use these connected devices in a more secure manner that doesn’t place thousands, and even millions, of others at risk of security incidents.

Until the interested parties in IoT are held accountable for manufacturing secure solutions, and liable for the damage done to the internet during such attacks, we will only see more of this type of activity. In addition to accountability, multipronged solutions involving technology, standards and policies should be implemented.

On the technology side, device manufacturers must develop security capabilities such as encryption, strong passwords and auto patching for products before they are delivered to the market. If devices are capable of being connected, they are also capable of being protected. It’s up to the companies that make the products to provide an acceptable level of security.

And if manufacturers don’t strengthen the security of products? They may risk legal action. In January 2017 the United States Federal Trade Commission (FTC) filed a lawsuit against D-Link, a manufacturer of network devices, claiming the company put thousands of users at risk of unauthorized access by failing to effectively secure its IP cameras and routers. Security vulnerabilities in the products were discovered in 2016.

Industry standards will also play a major role in helping to secure IoT components. In December 2016 the Internet of Things Security Foundation (IoTSF) announced the publication of its IoT Security Compliance Framework. The framework is part of IoTSF’s mission to drive the quality and pervasiveness of security in IoT.

IoTSF is promoting the “Supply Chain of Trust” concept, which encourages producers to adopt a level of care for their own customers and within the wider ecosystem. This is needed, the foundation says, because poorly secured connected products might provide a vulnerability point to attack the system elsewhere, such as in a denial-of-service attack.

The framework provides a comprehensive and practical checklist to guide organizations through a security-assurance process. It is designed to be generally applicable and extendable, with release 1.0 aimed at the consumer-product category. Future releases are expected to further add requirements from additional application domains.

In addition to technology and standards initiatives, there should be a concerted effort across industries to address IoT security. This includes creating mechanisms to notify users about vulnerabilities, having broadband service providers filter and block traffic once an attack has been detected and ensuring that consumers are buying “IoT secure” devices.