IoT Security: Sen. Warner’s Letter to IoT Manufacturers
With more IoT devices in homes and businesses, is Washington finally ready to address the security of these devices?
With Gartner projecting 5.8 billion IoT endpoints in use this year, Palo Alto Networks research indicates that 57% of IoT devices are vulnerable to attack. These findings should come as a bleak warning that, as millions and millions of Americans are working remotely during the COVID-19 pandemic and relying wholly on their home networks and personal devices, IoT security is now more critical than ever.
With so much at stake, it’s now time that IoT manufacturers commit to conducting thorough security reviews of the firmware that provides low-level control of the hardware of their internet-connected devices. Already well-recognized as one of the most pressing issues for the cybersecurity industry today, unprotected firmware is still not a top priority for IoT device manufacturers. And, as firmware continues to be a fan-favorite attack vector among malicious hackers, the vast majority of manufacturers still have not implemented any kind of security in their connected devices.
Why is this the case, you ask? Well, currently, there are no industry standards or federal government regulations for IoT security. However, in late 2019, California—a state that frequently enacts progressive and ambitious policies that set precedents that other states follow—made history by enacting a law that requires IoT device manufacturers to bolster security to better safeguard sensitive data. Additionally, last year, the Internet of Things Cybersecurity Improvement Act of 2019 was introduced. This piece of legislation that, if passed, will permit the National Institute of Standards and Technology (NIST) to manage IoT cybersecurity risks for devices acquired by the federal government. The proposed law represents a huge silver lining for this dire issue, proving that the need for improved IoT security is gaining momentum in Washington and finally getting the critical attention it demands.
Unfortunately, since this bipartisan act was introduced, IoT security seems to have been put on the backburner once more—until now. As most Americans are practicing COVID-19 social distancing, one Washington figure has turned up the heat on IoT manufacturers and WiFi and telecom vendors. U.S. Sen. Mark R. Warner (D-Va.) issued a letter to six internet networking device vendors to urge them to help ensure that their internet connectivity products remain secure. In his letter, Warner urged vendors to guarantee that their wireless access points, routers, modems, mesh network systems and related connectivity products cannot be easily exploited to attack consumer systems and workplace networks.
Warner pressed IoT manufacturers and WiFi and telecom vendors to make a much greater effort to ensure their devices and networks are secure. That means adhering to secure coding practices and proactively promoting security measures to protect users such as removing default usernames and passwords and implementing binary hardening. They should also be vetting and validating the firmware of all IoT devices placed on a network to prevent the creation of a jumping-off point for all kinds of malicious behavior.
Warner’s letter provides further evidence that the time has come for IoT manufacturers to address security. If not, the consequences will be graver than ever before. By now, most vendors are aware that compromised firmware can wreak havoc on a network by enacting malicious activity including denial-of-service attacks, malware distribution, spamming and phishing, click-fraud and credit card theft. However, this issue is no longer just about a company’s reputation and bottom-line or a consumer’s right to privacy.
Through insecure IoT devices, attackers can take down networks and cripple critical infrastructure. As IoT continues to advance into our everyday lives, these kinds of attacks are well beyond nuisances and inconveniences—they can put human lives in jeopardy.
Luckily, consumers and enterprises alike can take matters into their own hands by contacting the manufacturers of their IoT products and asking if they’ve accounted for the most common kinds of vulnerabilities. If not, IoT device owners should be empowered to leverage knowledge of Sen. Warner’s letter to demand that vendors implement secure coding practices in their firmware and IoT devices.
