UK government to increase security on IoT devices
In the future, it’s not just your laptop that will need a firewall: try your front door, mirror, refrigerator or any other Internet of Things (IoT) device in your home.
The UK government are proposing that all IoT-connected devices will need to measure up to basic security standards. The plans will help to protect all kinds of “smart” objects, including a new mandatory labelling scheme to identify IoT products that meet these new security measures.
The new code of practice for IoT devices will ensure that IoT device passwords are unique and cannot be reset to a factory setting, manufacturers of IoT products offer a public point of contact as part of their disclosure policy, and that they explicitly state the minimum length of time that a device will receive security updates through an end of life policy.
“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk,” said Digital Minister Margot James. “Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.”
What are the threats?
In November 2017, a report by Which found that four out of seven popular IoT toys could be hacked to allow strangers to manipulate built-in voice modules and communicate with children. However, it’s not just in the home that IoT poses a security risk.
Any connected device can be an entry point to personal data, whether that’s a car or a fitness tracking device. IoT is transforming not just our home lives though but all kinds of sectors: the impact that it’s had in the healthcare industry, for example, is sizeable, with advances in patient monitoring, automated drug dose delivery and equipment tracking all helping to make medical professionals’ jobs easier.
Security is a big problem in healthcare: manufacturers have recalled insulin pumps and pacemakers due to security issues in the past and healthcare apps contain plenty of sensitive information that’s an attractive target for cybercriminals. It’s possible for hackers not just to find details of your prescriptions, but steal a victim’s identity or resell information on the dark web.
Should a cybercriminal take control over IoT equipment directly, results could be deadly. In recent years, sinister reports have surfaced, telling of how cardiovascular imaging devices can be exploited with high-severity code execution flaws and vital signs monitors can be altered to simulate a flatline on a patient’s heartbeat.
Whether in a home, a hospital or an office, IoT devices offer gateways to secured networks. Malware and ransomware can find its way onto a network via any device that’s unprotected.
How can IoT security be improved?
Despite the sinister scenarios and strong warnings, IoT security can be bolstered. Though hackers are a worry when it comes to Bluetooth-connected devices, there are ways to ensure that you’re always one step ahead.
Most IoT devices don’t have a screen or keypad however to enter a password, so MFA is more suited to admin level than user level.
Multi-factor authentication (MFA) is one way that technology can beat password hackers. You may well be using it on your social media accounts already, but MFA sends an SMS code to your smartphone to authenticate your identity. Simply having a password is what’s known as “the knowledge factor”, which is why complex passwords are necessary. However, sometimes complexity isn’t enough to keep criminals at bay: MFA adds a layer of security on top with “the possession factor”. Having a physical smartphone on your person to keep your IoT device secure is akin to having a key to a safe, rather than just knowing the combination that opens it.
On top of this, there’s also “the inherent factor”. This is any kind of biometric detail like fingerprints, retina scans or voice recognition. Ideally, MFA needs to be simple and convenient for users. Most IoT devices don’t have a screen or keypad however to enter a password, so MFA is more suited to admin level than user level.
Ideally, an IoT device should have different security levels for if it’s used for access or authentication. Data encryption and intrusion prevention systems are also viable ways to stay secure though. Encoding electronic health records, for example, could avoid hacking of sensitive information that’s left in storage, while intrusion prevention systems can identify and block unauthorised connections to your network.
The Use of Blockchain
More and more technology is adopting blockchain to secure data. Blockchain is seen as the perfect advanced security solution for many, as it induces encryption methods such as public key infrastructure (PKI).
IoT smart devices must be controlled by a central authority. With permission-based blockchain however, all users are authorised to access a network, but each device is accountable for its actions, as all data stored on the blockchain is signed.
