Global coordination needed to secure smart devices amid rising threat: Singapore-Dutch study

In a photo from Sept 18, 2019, a man looks at surveillance cameras at the annual Huawei Connect event in Shanghai. A universal approach to safeguard connected devices - collectively known as the Internet of Things (IoT) - is wanting.
In a photo from Sept 18, 2019, a man looks at surveillance cameras at the annual Huawei Connect event in Shanghai. A universal approach to safeguard connected devices - collectively known as the Internet of Things (IoT) - is wanting.PHOTO: REUTERS

SINGAPORE - Unsecured surveillance cameras, routers, industrial sensors, smart energy meters and connected medical devices are fast rising in numbers, threatening to be a source of mayhem in an increasingly "smartened-up" world.

However, a universal approach to safeguard these connected devices - collectively known as the Internet of Things (IoT) - is wanting.

After studying the threat landscape for about a year, Singapore's Cyber Security Agency (CSA) and its Dutch counterpart - the Ministry of Economic Affairs & Climate Policy, which is in charge of IoT security - have concluded that government bodies around the world need to play a more active role in tightening legislation, and form a universal certification regime to improve the security of IoT devices.

These are among several recommendations, including technical ones, highlighted in their 107-page joint study titled The IoT Security Landscape, released on Wednesday (Oct 2).

"Since IoT is a global phenomenon and is not limited by national boundaries, it is essential to align country-specific legislations and adopt a coherent global approach to IoT security... We have seen few government-led global initiatives," said the study.

Specifically, liability laws can be updated to also cover security issues and not just safety issues related to property or health harm.

This update would put the burden of finding, correcting and warning consumers of IoT security dangers on manufacturers, which have so far been influenced by razor-thin profit margins.

Certification for IoT devices could be similar to the international ISO standard for, say, quality management with some baseline measures, such as over-the-air security firmware update for IoT devices.

In making their call for change, CSA and its Dutch counterpart pointed to 2016's massive Internet outage on the east coast of the United States that cut off access to websites such as The New York Times and Spotify.

The outage was caused by a piece of malware called Mirai, which infected and turned as many as 600,000 Web cameras, printers and baby monitors into "zombies" to overwhelm service provider Dyn's systems in what was a distributed denial-of-service (DDoS) attack.

DDoS attacks work by having thousands of infected devices accessing and overwhelming a targeted site, causing a huge spike in traffic.

"Vulnerable IoT devices are deployed fast globally and with unknown lifespan while... common standards and technical solutions for cyber security in IoT are lacking," according to the joint study.

"This creates safety, environmental and social hazards that are not well understood and likely to be unacceptable for society."

Mirai is only the beginning of what would be a growing problem.

 
 
 

Market research firm Gartner estimated that the number of IoT devices in use globally will grow from 8.4 billion in 2017 to a staggering 20.4 billion by next year.

Not only are critical infrastructure and the wider digital economy at risk of large-scale attacks like the one brought about by Mirai, people's privacy may also be compromised as personal data can be gleaned from unsecured IoT devices.

 

Some government agencies, academic institutes, industry alliances and IoT vendors have initiated ways to tackle IoT security challenges.

For instance, the UK government has proposed a code of practice for consumer IoT devices, urging device makers to disallow default passwords, implement a vulnerability disclosure policy and keep the device software updated, among other measures.

But there is limited coordination in tackling security challenges, resulting in market confusion.

"IoT product developers and vendors... may find themselves overwhelmed, or they may take advantage of the lack of clarity to do nothing at all," said the study, which also called for the harmonisation of security recommendations and guidelines.

"Given the continuing exponential growth in the number of IoT devices, there is no time to lose," said the study.