IoT security prioritization creeps to the forefront

As lightbulbs, door locks, garage doors and thermostats get connected and become part of the grander Internet of Things at increasing rates, securing those devices is gradually becoming a priority for the companies making those products and the service providers supporting them.

While a portion of security threats centers on consumer IoT devices, those threats also carry over to IoT components that help to underpin more critical infrastructure tied to telemedicine, telecom networks, streetlights, connected cars and other transportation systems.

To highlight the broad aspects of the issue, FCC Commissioner Jessica Rosenworcel urged the agency last week to apply its device authorization process to IoT security and stay a step ahead of the threat. In testimony for an FCC oversight hearing in the Senate Commerce Committee, she suggested that the FCC reconsider an authorization process for consumer electronics and see if it should also be used to “encourage device manufacturers to build security into new products” as more devices, such as streetlights, parking meters and pallets of equipment become part of the connected world.

To further that idea, she suggested the government expand the National Institutes of Standards and Technology with draft standards that include security recommendations for IoT devices covering areas such as device identification, device configuration, data protection and critical software updates. “In other words, it’s a great place to start – and we should do it now,” Rosenworcel said.

A big wakeup call on this general issue occurred in 2016 when the Mirai botnet took advantage of millions of insecure IoT devices, including cameras and routers, through commonly used username/password combinations.

That led to the signing of a 2018 cybersecurity law in California requiring manufacturers to equip connected devices with “reasonable” security features that help to prevent unauthorized access and modifications. To eliminate the pervasiveness of generic default passwords that are easy to guess, the bill also mandated that devices come with a unique password or that users must set a new password when the device is first connected.

The Mirai botnet and the subsequent California bill have also spurred the private sector to act and attempt to take on the issue before rules and regulations governing IoT security become overly fragmented.

Big names get behind the ioXT Alliance
One primary example is the Internet of Secure Things (ioXT) Alliance, a group that is developing global IoT security standards that aim to support massive scale. Several big name companies have joined the cause, including Amazon, Comcast, T-Mobile and Google.

ioXT, a group that has about 200 device manufacturers, retailers, network operators and service providers on board, is focused on setting security standards that are testable and scalable and can be harmonized across a wide range of IoT products, according to ioXT Alliance’s chief technology officer, Brad Ree.

Though the initial target is to address security standards, including areas like upgradability, for consumer electronics, the initiative itself aims to cover everything from connected light bulbs, set-tops, smartphones and connected cars, he said.

To read the complete article, visit Light Reading.