A recent group of researchers in Virginia hacked into a driverless car to demonstrate how easily it can be accomplished. This study was actually commissioned by several governmental groups that are deeply concerned about the explosion of IoT devices and the opportunities that these devices give to hackers who can backdoor their way into entire systems through the lax security of a single type of device.
Clearly, security is a growing issue as more and more IoT devices hit the market, and manufacturers have, in the past, set too low a priority on security. How can greater security be accomplished? Interestingly, we may be looking in “all the wrong places,” as an old song says.
Manufacturers Get on Board
Fortunately, manufacturers of IoT devices are now stepping up to the plate. Devices hitting the market now have far greater security built in before they reach the hands of consumers. However, the problem lies in the large number of devices out there without adequate security, and they are not likely to be replaced with regularity. So, who will step up and provide the necessary security?
Smartphones and laptops are regularly replaced. Home security systems, as long as they are working, are not. And while manufacturers of IoT devices are now providing security updates in response to new laws, not everyone receives notifications, and, even if they do, often choose to ignore them. The result is millions of devices out there that provide “open hunting season” to hackers.
Enter Internet Service Providers
The “fix” for security problems of non-secure devices may lie with ISP’s, if they are willing to take the necessary steps. They can filter and/or block traffic that they suspect is malicious, based on spoofing patterns they know. Some ISP’s do this, but others do not yet because of the costs involved.
They can also notify customers – all customers – if there is an IoT device that is sending or receiving traffic that is known or potentially malicious. This would be similar to the notifications that computer users get when they are notified by their providers that there is potential illegal file sharing. If owners of IoT devices got such warnings, they could then take steps to locate and secure their device(s).
Neither one of these strategies is ideal. Filtering traffic can easily block legitimate transactions along with the suspect. And it really only responds to already-known threats. And providing notifications to customers is a “hit and miss” strategy. Lots of ISP’s believe that it's simply not their problem and that it interferes with their operations.
A more drastic measure would be to cut off service to IoT devices owned by consumers who fail to respond to notifications and to install updates. This will force them to install updates or replace devices with those from manufacturers that have incorporated the latest wireless standards and protocols in their electronic design. And if these customer notifications and cutting off can be done with the backing of government regulations, then ISP’s are not left vulnerable to legal liability, which is a real thing right now.
Governments have a vested interest in IoT security. They are as vulnerable as any other individual, company or institution. Consider, for example, the IoT devices that are currently in use by the U.S. Department of Defense. They are supplied by a wide variety of privately contracted manufacturers, and, if any of them are vulnerable, the opportunities for hackers are significant.
Clearly, governments and ISP providers have to work together. Governments can impose the regulations, and ISP’s can impose those new regulations upon their customers without fear of major revolt and backlash, because they all have to do it. Governments have the authority to do this (indeed, many of them already are) and ISP’s have the technology – it’s a great marriage.