Story image

Standards, regulation, and accountability are required to avoid IoT Armageddon

02 Nov 2016

Potential security concerns regarding the deployment of an ever-increasing number of Internet of Things (IoT) devices are well documented. 

However, such concerns routinely focus on the potential vulnerabilities of individual solutions rather than recognising the implicit dangers in a global system that is only “as strong as its weakest link.

The Dyn DDOS event is a wake-up call

The recent Dyn distributed denial-of-service (DDoS) attack has caused consternation in the technical communities intimately concerned with the “plumbing” of the Internet. 

While the debate as to who, what, and why the attack took place remains the subject of detailed sleuthing, a security paradigm shift has occurred that is going to challenge governments worldwide.

The attack used a large botnet of low-grade, poorly secured Internet devices – it’s possible that your fridge, your neighbor’s router, or my TV was involved. 

As the number of devices connected to the net increases exponentially, there is a significant aggregated risk to overall network integrity from millions of low-cost, poorly-designed, never-patched, unmanaged devices coming online.

Where cost is the prime determinant of low-end, no-brand devices’ security is an afterthought, if it is even thought of at all. Products with no password, default passwords, no encryption, open insecure ports, known vulnerabilities, and an inability to patch flaws even if they are detected abound at the cheap commodity end of IoT. 

While an initial response is often “buyer beware,” unfortunately, in aggregate, these devices have the capability to wreak havoc on the wider population.

Regulation may be a dirty word, but when products have the potential to cause significant harm, society expects government to mandate standards and regulate to ensure they are adopted. 

Motor cars must be built to safety standards, and manufacturers are held responsible when they are not – as Toyota found with its faulty accelerator issues. Samsung’s recall of the Note 7 due to the potential fire hazard is similarly well known. In both cases, well-respected companies recalled their product due to consumer and government pressure.

In the IoT space, the greatest risk is generally not from the well-known products, which tend to be designed with security considered from the outset and are promptly remediated when flaws are detected. The biggest concern is with low-end generic or unbranded devices from smaller manufacturers.

Addressing the challenges posed by these products will require administrations to consider a model like electrical goods or children’s toys, where, regardless of price point, minimum standards must be maintained and local safety regulations complied with. 

Furthermore, manufacturers and their local distributors are held liable for loss or damage resulting from substandard design.

Identifying what those minimum standards should be will be challenging, not least to ensure that the system isn’t gamed by vested interests to reduce competition, but the Dyn event highlights the frightening potential from continuing with an “anything goes” approach to network device connectivity.

Just as the new-model virtual businesses, such as Uber and Airbnb, are requiring governments to rapidly develop new-model regulations, pervasive IoT will necessitate legislators walking a fine line that protects the “Internet commons,” without stifling technical innovation.

Article by Al Blake, Ovum analyst

Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."