Protecting the Internet from weaknesses of many “connected” devices
“It’s definitely an ISP (Internet service provider) problem as well as a consumer and a device manufacturer problem,” Feamster said. “When we talk about insecure IoT devices, we can talk about securing the devices, but we can also take a complementary view and say, ‘Let’s assume the devices may be difficult to secure and it may be difficult to follow these recommendations — maybe there’s a role for in-home networking technology to basically firewall or segment to protect these devices from each other or from the rest of the Internet.’”
The report emphasizes the importance of segmenting home networks so the devices connected to the network cannot easily be used to compromise each other. “Many home networks do not, by default, isolate different parts of the network from each other, the report points out. Making it harder for devices on a home network to talk to each other may help mitigate the impacts of any individual device’s security weaknesses.
“A lot of the discussions that have happened so far have been fairly general, so we tried to come up with some more specific things that people can focus on,” Livingood said. “I also think it could serve as a little bit of a call to action to the IoT device manufacturers to try to figure out how they can band together and try to develop some kind of certification programs for security.”
Even some of the more familiar recommendations in the advisory group’s report — for instance, making it easier to update software that runs on devices — may be less straightforward than they initially seem, Feamster said. “Some of these recommendations sound obvious but it’s not so obvious that they should go one way or another,” he explained. “Take secure over-the-network software updates _ and the ability to update credentials on a device — those sound like basically good ideas. But there’s obviously a cost to doing that: what do you do about that when the cost of the device is 99 cents, so the cost of updating it may exceed the cost of deploying it?”
In other words, deciding whether or not it should be possible to distribute software updates and security patches to devices such as security cameras or thermostats may depend on the cost of the device and the cost of software updates. So the report, while it recommends making it possible to update devices in general, also points out that, “in some cases, replacing a device entirely may be an alternative to software updates. Certain IoT devices may be so inexpensive that updating software may be impractical or not cost-effective.”
Another scenario the authors consider is what happens to Internet-of-things devices in the event of an Internet outage. The report makes recommendations for how these devices should respond to interruptions to network connectivity. Specifically, the report recommends that “an IoT device should be able to perform its primary function or functions (e.g., a light switch or a thermostat should continue to function with manual controls), even if it is not connected to the Internet because Internet connectivity may be disrupted due to causes ranging from accidental misconfiguration or intentional attack.”
Membership in the Broadband Internet Technical Advisory Group includes industry leaders such as Google, Cisco, AT&T and Disney, as well as community organizations such as the Center for Democracy & Technology, and Public Knowledge. Researchers from Princeton, Carnegie Mellon University, the University of Oregon and the Massachusetts Institute of Technology contributed to the report.
Princeton notes that Feamster will be participating in the upcoming fourth Princeton-Fung Global Forum, which is focused on cybersecurity. The event will be held 20-21 March 2017, in Berlin.
— Read more in Internet of Things (IoT) Security and Privacy Recommendations (BITAG, November 2016)
