Security Sidebar: Regulating the Internet of Things
It seems that just about everything is Internet-connected today…cars, cameras, phones, lights, thermostats, refrigerators, toasters…just to name a few. The so-called “Internet of Things” (IoT) is huge. On one hand, this is an amazing step in the advancement of technology. On the other hand, it’s a gold-mine for exploitation if you’re an attacker. One of the most dangerous aspects of having all these devices connected to the Internet is that they can be used to attack something. A 2015 Gartner study estimated that 6.4 billion devices would be connected to the Internet in 2016 (still too early to have 2017 numbers), and we are on pace to have over 20 billion devices connected by 2020. Add to this the relative ease with which an attacker can take control of a given IoT device, and it paints a pretty scary picture.
Some would claim that an attacker taking control of their Internet-connected device is not inherently scary, and depending on which device you are referencing, those people would be right. Take, for instance, your new Internet-connected refrigerator. Let’s say an attacker took control without you knowing about it. You probably couldn’t care less as long as your food stayed cold. All you want is to make sure your milk is ready to go when you pour that amazing bowl of Frosted Flakes for breakfast the next morning (the milk at the end of a Frosted Flakes bowl of cereal is simply the best ever). The dangerous part, though, is that the computing power of your Internet-connected refrigerator (albeit small) could be used as part of a large-scale attack. As long as you aren’t the target of said attack, I guess you don’t completely care (or probably even realize it).
You might astutely note that, while there are 6+ billion Internet-connected devices in the world today, not all of them have been hacked and even the ones that have been hacked are not all being used at the same time in an attack. You would be right. But even so, a small percentage could be hacked and used against a target…and a small percentage of 6 billion is still a huge number. We saw this exact situation with the Mirai Botnet attack that took out several popular websites. The power of the Mirai Botnet is built on compromised IoT devices. You don’t want to be the next target of this botnet.
So with all this discussion about IoT devices, it brings up an interesting question: Do we need to regulate all of this? After all, if these devices were forced to be built with more security, it would be much harder to hack into them and use them as part of an attack.
On the side of “we do not need more regulation” stands many who would claim that regulation will simply add more frustration and bulk to an already-clunky manufacturing and distribution process. Manufacturers don’t see the need to add more security to their devices because it typically doesn’t make financial sense. And, how much more security is enough? If a company can make an Internet-connected toaster at a certain price today, how much more will it cost to produce when added security is required to be built in? This will likely push the price of toaster production past the point of profit for the company. And then the frustrated toaster company won’t be able to make toasters any more. And then people won’t have toast for breakfast. And then people will have to resort to eating regular bread. You see the trend. In addition, customers typically don’t care about the security of their devices as much as they do the functionality of the device. Who cares if my refrigerator is used in a massive botnet attack as long as it keeps my food cold, right? Said differently, I don’t need encrypted milk…I need cold milk.
However, there’s the other side that says the government should step in and regulate all of this. I don’t have to tell you that the threats (and execution) of DDoS attacks are growing at an alarming rate, and someone/something needs to step in and help. How can we, with good conscience, stand idly by and watch all this happen without trying to help in some way? Many would call it a moral obligation to do something about this. One wrinkle (of many), though, is that even if the United States passed legislation to regulate the security of “things” connected to the Internet, it still wouldn’t guarantee anything for technologies that are developed/manufactured outside the United States. Is that a reason to do nothing, though?
So here we are. Do we add regulation to the IoT, thereby adding cost and possibly forcing companies out of business? Or do we let it all go, and accept the fact that we will see attacks grow in number and intensity?
- FulmetalNimbostratus
Interesting. Thanks John.