Why IoT Security Faces Similar Challenges to Gun Control
Let’s compare, for a moment, Internet of Things devices to guns. To be sure, the comparison is an imperfect one, but the prospect of securing IoT devices — along with traditional computing devices — bears a certain resemblance to gun regulation. Both guns and IoT devices have clear legitimate uses, but potential for misuse. The volume of guns and IoT devices in circulation has considerably increased in the past decade. Furthermore, IoT devices can be weaponized — and in the case of critical infrastructure, industrial environments and autonomous cars, they can pose a safety risk. But top-down approaches to address insecure IoT devices and gun violence are at once challenging to implement and can fuel debate as to the best means to address them.
Top-down approaches for cybersecurity can lead to increased product and technological deployment costs. And while they can decrease risk, they can often interfere with usability. As with gun control, such measures can spur pushback from device users. For instance, New York resident user Jay Brodsky filed a class action lawsuit against Apple for coercing users into using two-factor authentication. Brodsky argues in the filing that users should be able to decide for their own security level, enabling them to “freely enjoy and use” their devices.
A similar example can be found when the smart home company Nest recently made headlines after a California family with a Nest camera received a warning through the speaker in the device warning of a bogus North Korean missile attack. Nest parent company Google responded to this and other similar breaches with this statement to Mercury News, which first published the story: “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of security risk.” Google also revealed it is “actively introducing features” to force users with compromised passwords to update them. The company is also offering features for account monitoring while keeping tabs on users who exploit credentials.
The parallels between IoT security and gun control are fairly clear. But in another regard, Nest and other IoT technology providers are in a similar position as medical professionals rationally arguing to anti-vaccination advocates that vaccines are in their best interest. Two-factor authentication is somewhat analogous to getting a booster shot. Sure, it’s unpleasant in the short term, but it beats getting the measles — or getting hacked. But as with vaccinations, even a small percentage of people who chose to view cybersecurity as an infringement to usability can make the entire ecosystem less secure.
“How much blame can you put on Nest because they want to be in the market and sell a product?” asked Chester Wisniewski, principal research scientist at Sophos. “If they force people to put two-factor on their cameras, then some people would stop buying these cameras because some people are that stubborn about not doing something to protect themselves. Where do you draw the line on these things?”
Wisniewski recounts asking a chief information security officer at a credit union why the company offers two-factor authentication. “And he said: ‘It’s just a math thing when you are a business offering a product.’” It could potentially be expensive for the organization to implement, but it could theoretically reduce the cyber-risk profile for its customers if it were mandatory. But the very people who ask for two-factor authentication tend to be the ones who are security minded, who already have secure passwords. “The people who are most likely to be hacked are the people who don’t care. And they wouldn’t turn [two-factor] on if it was optional,” Wisniewski said. And if the credit union made two-factor mandatory, Wisniewski suspects that such users would simply find a new bank that didn’t require it.
“This is actually the story of IoT writ large,” Wisniewski said. Both end users and manufacturers play a role in creating an unsecured ecosystem. According to Wikipedia, “123456” and “password” have been vying for the dubious title of being the most-popular passwords since 2011. A number of manufacturers have been similarly lazy in their use of, for instance, “admin” as both the default username and password for networked devices such as routers, IP-connected cameras, networked industrial hardware, connected medical devices and other IoT devices. The widespread use of default usernames and passwords — and the fact that few companies have forced users to pick new and secure replacements for them, helped feed the 2016 Mirai botnet, which enabled an army of connected routers, surveillance cameras, DVR devices and other gadgets to lead cause prominent websites such as Reddit, Netflix and Airbnb to be inaccessible for many users, primarily in the United States. In the IoT world, Mirai was something like the 1999 Columbine High school shooting — a headline-grabbing event with the seeming potential to drive more stringent security across the landscape. But the Columbine shooting and the Mirai botnet provided a template for future attacks rather than kick-start a new security template. The 2019 Nokia Threat Intelligence Report notes that “IoT botnet activity has increased substantially since the introduction of Mirai in 2016” with many IoT botnets building on Mirai’s source code, which was made open source in October of that same year.
Returning to the comparison between IoT devices and guns, industrial organizations — especially utilities and energy firms — are in some respects similar to the military. They have defined procedures for procurement and training users to operate equipment safely and they have the clout to influence whole ecosystems.
“With the industrial IoT, a lot of the market is driven by a few very large purchasers who can kind of dictate what the product space is going to look like, at least for their new acquisitions, Wisniewski said. If, say, an oil-and-gas company is spending half a billion dollars to rebuild part of a refinery, they are likely to force its suppliers to meet a defined security threshold. Wisniewski said this growing security awareness among prominent industrial firms and government organizations like NASA is having a trickle-down in the industrial IoT ecosystem.
While there is growing movement toward IoT-security–related standards, best practices and regulation such as a California law that would raise the bar for devices sold in the state beginning in 2020, instituting sweeping changes to the IoT security ecosystem across the entire world could be as unlikely as passing significant changes to U.S. gun laws. One possible response from IoT manufacturers to California’s upcoming IoT legislation is to simply stop selling products to citizens in the state. “The truth of the matter is, we can’t tell the whole world they can’t have an insecure camera, and that means we still have a problem when we’re talking about denial of service,” Wisniewski said. “To solve this, you have to fix it within the supply chain, so the incentive needs to somehow affect the manufacturers of these things in Malaysia, China, Taiwan or wherever they are made.”
“I think one of the ways we might see progress is in international trade treaties,” Wisniewski said. “If the WTO and others can make cybersecurity a priority and decide on international standards [for IoT devices sold throughout] the world, that could be a pressure point.”