ArgumentCascading Security Through the Internet of Things Supply Chain

Published 29 June 2020

The “internet of things” (IoT) has been insecure since the first connected refrigerator woke up and asked for more milk. But while having your fridge hacked seems at best amusing and at worst inconvenient, the nightmare scenario is a matter of national security. Imagine hundreds of thousands of smart refrigerators, all with the same default password, hacked to direct a flood of web traffic against key internet servers, paralyzing them. “Swap smart fridges for security cameras and DVD players, and you have the Dyn cyberattack of 2016,” Trey Herr, Nathaniel Kim, Bruce Schneier write.

The “internet of things” (IoT) has been insecure since the first connected refrigerator woke up and asked for more milk. But while having your fridge hacked seems at best amusing and at worst inconvenient, the nightmare scenario is a matter of national security. Imagine hundreds of thousands of smart refrigerators, all with the same default password, hacked to direct a flood of web traffic against key internet servers, paralyzing them. “Swap smart fridges for security cameras and DVD players, and you have the Dyn cyberattack of 2016,” Trey Herr, Nathaniel Kim, Bruce Schneier write in Lawfare.

The write:

At the heart of most home networks, and many industrial ones, is the humble wireless router. The security of these popular hubs is a prominent concern because they form the core of IoT networks. Against the steady drumbeat of major security flaws disclosed in the code running these devices—including several in just the past month—researchers have seen little progress in router security over the past 15 yearsSerious vulnerabilities in home Wi-Fi routers can open the door for attackers to gain access to local networks and other connected systems. As the U.S. faces a surge of attacks exploiting the widespread uncertainty and confusion wrought by the coronavirus pandemic, these concerns have become all the more urgent.

The authors note that routers exemplify the challenges for IoT security: widening dependence, poor security practices, and manufacturers based around the world beyond the reach of a single jurisdiction.

This issue of jurisdiction is critical. Even with a clear security framework for manufacturers, supported by the kind of congressionally backed enforcement proposed by the U.S. Cyberspace Solarium Commission, most manufacturers in this market are based outside the United States. The IoT supply chain is global, and any policy solution must account for this fact.

In a new paper, we propose to leverage these supply chains as part of the solution.

They conclude:

Establishing and harmonizing security standards across borders is an important step toward a more secure IoT ecosystem. The IoT supply chain has so far been a channel for risk into our homes. We can use that same channel to push security back up through the supply chain.