New legislation requires IoT device makers to include reasonable security features like making users set unique passwords.
Unprotected IoT devices continue to pose a disturbing threat to both consumer privacy and security. For example, a camera installed in the Memphis bedroom of a young girl was recently hijacked by a hacker who seized control of the device to spy on the 8-year-old, taunt her with music and encourage destructive behavior. Another infamous instance of a camera falling victim to a hacker was reported in December by a Houston family who heard an eerily disembodied voice ask if “anyone [was] home” and promised it was “gonna find out.”
Perhaps not surprisingly, security cameras represent 47 percent of vulnerable devices installed on home networks. According to various reports, the recent spate of security camera hacks likely involved basic attack techniques such as credential stuffing. This simple process involves accessing accounts with stolen account credentials and large-scale automated login requests. Consequently, camera users who don’t enable the optional two-step authentication, skip setting a unique password or recycle credentials across multiple online services and are at a greater risk of being hacked. Beyond security cameras, a wide range of vulnerable consumer IoT devices are frequently targeted by hackers who actively search for devices with default or weak login credentials such as “admin” usernames and “1234” passwords. These include network-attached storage devices, printers, smart TVs and IP phones.
California cybersecurity law SB-327, which went into effect on January 01, 2020, is a good example of proactive legislation that could help prevent basic attacks against unprotected and vulnerable IoT devices. Indeed, the law requires manufacturers to equip IoT devices with “reasonable” security features to prevent unauthorized access, modification and data leaks. Specifically, SB-327 requires manufacturers to implement a unique preprogrammed (default) password for each device. Additionally, manufacturers must ensure that users create a new password the first time a device is activated. Together, these steps are expected to help protect California consumers, as hackers are known to routinely target vulnerable devices shipped with generic or default login credentials.
Similar to California cybersecurity law SB-327, Oregon House Bill 2395 (which amends ORS 646.607) requires manufacturers to equip IoT devices with “reasonable security features.” These include shipping devices with unique preprogrammed passwords, requiring users to create new passwords when a device is first activated and ensuring manufacturers comply with federal law and regulations that apply to security measures for connected devices.
Additional governments around the world have also recognized the real-world risks posed by unprotected IoT devices and are eyeing legislation to protect consumers. For example, the United Kingdom (UK) recently announced its intention to introduce new laws requiring security to be built into IoT devices. This would add to the UK government’s 2018 publication of the world’s first IoT code of practice, which outlines guidelines for manufacturers such as prohibiting default passwords and mandating secure credential storage as well as ensuring software integrity. Meanwhile, the Japanese government is set to begin enforcing a set of IoT standards next year, which is likely to stipulate mandatory device identity to prevent unauthorized access and secure over-the-air updates.
In conclusion, passing proactive security legislation to prevent basic attacks against unprotected and vulnerable IoT devices is a good first step to protecting consumer privacy and safety. However, there is clearly much more that needs to be done before connected devices are secured against more sophisticated attacks.
From our perspective, a siloed security co-processor, designed to execute security-centric processes completely independently of the main CPU, can better help protect consumers by preventing unauthorized access and monitoring suspicious system activity. To be sure, a security co-processor can enable secure boot and runtime integrity checking, as well as provide remote authentication and attestation and hardware acceleration for symmetric and asymmetric cryptographic algorithms. Put simply, a siloed security co-processor can help thwart determined adversaries and more sophisticated hacking techniques such as side-channel attacks.
Leave a Reply