Mar 12, 2017ED. NOTE: The FCC recently rescinded the notice of inquiry mentioned in this article, but is expected to take up cybersecurity matters again shortly.
"The Internet of Things is turning into a security nightmare." So wrote Thomas Ricker, a respected systems engineer and deputy editor of the The Verge, in describing the enormous distributed denial of service (DDoS) attack that disabled wide swaths of the Internet in late September 2016. This is no hyperbole. Mr. Ricker's statement succinctly describes the current state of Internet of Things devices' vulnerability to cyberattack and hacking.
According to a leading report by Malwarebytes Labs, there were nearly 1 billion malware detections and incidents, affecting nearly 100 million devices in more than 200 countries, during the June to November 2016 period alone. The United States is the top country for ransomware detections, as Americans are targeted because of their wide accessibility to technology and their ability to pay the ransom.
Unprotected IoT Devices Are Begging for Cyberattacks
IoT devices are particularly vulnerable to cyberattacks from botnets—a network of private computers infected with malicious software and used to spread malware. The aforementioned DDoS attack was orchestrated by a botnet that spread Mirai, an open-source malware, which compromised many IoT devices and home routers, with all of the infected devices being controlled by a single source. This brought down many well-known websites.
Less than a month later, Mirai was used to attack Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet's top destinations. This attack, which compromised security cameras, prevented millions of users from accessing popular sites such as Twitter, Reddit and Netflix.
Mirai is a particularly insidious malware. It scours the Web for IoT devices protected by little more than factory-default usernames and passwords, using an internal database of default names and passwords to gain entry to connected devices. After gaining access, Mirai attacks by throwing junk traffic at an online target until it can no longer accommodate legitimate users.
It is unlikely that we have seen the last of Mirai. The hacker who created Mirai released the source code for it, thereby enabling anyone who wants to instigate a botnet attack to use the malware.
Unsecured Firmware Can Be a Cesspool of Insecurity
Passwords in IoT products are embedded in the firmware. Firmware is software that controls the basic functions of a particular device; all computing devices rely on it. Devices such as smartphones and computers have operating systems, which help consumers manage the firmware. But devices without operating systems built in, such as routers and smart devices, render firmware difficult or even impossible for users to manage.
This scenario results in firmware potentially being a cesspool of insecurity. Many manufacturers view building security protocols in their devices as an unnecessary expense that eats into their margins. Consumers rarely think about applying patches (i.e., software that fixes security vulnerabilities) or installing updates in their devices—and because consumers don't demand firmware support, manufacturers don't provide user-friendly ways to update firmware used in their IoT devices.
This kind of neglect has resulted in cyber bugs such as the Misfortune Cookie, which in 2014 was discovered in the firmware of more than 200 router models. This bug allows attackers to monitor Internet traffic channeled through an unsecured router, steal passwords and login credentials, and spread malware to other devices.
Securing Firmware Is a Critical Cybersecurity Measure
As firmware is the heart and soul that runs IoT and connected devices, securing it is key to reducing cyber risks. Manufacturers of IoT devices and other entities involved in securing, underwriting or litigating products that face cybersecurity risks should begin their examination with a firmware evaluation.
As there are numerous attack vectors, a constructive place to start is to employ an expert who can efficiently reverse-engineer firmware to reveal vulnerabilities ripe for remote exploitation by hackers, thieves and state-sponsored actors. This process should be done at the design phase of any IoT device.
Another proactive step that IoT manufacturers should take to protect their devices is to employ engineers and developers that are able to think like cyber attackers and understand how to exploit their own devices. Security training on exploiting embedded software is the key to their success.
Effective embedded firmware security training is live, hands-on instruction that combines lectures and labs in which students hack off-the-shelf devices that are already on the market. Students will learn to protect their companies' embedded devices and join others who have a stake in security.
The importance of having an IT staff solidly educated in cybersecurity is not only a good business practice, but effectively required by law. As discussed below, the Federal Trade Commission (FTC) includes security personnel practices in its IoT security guidelines, while the Federal Communications Commission (FCC) has commenced a comment proceeding that will likely result in cybersecurity reporting requirements.
The Law Mandates Secure IoT Devices, With More Regulations on the Way
The Federal Trade Commission
As the number of and powerful effects of IoT exploitations surge, companies must shore up their security on embedded devices to mitigate risk. Failure to do so violates the Federal Trade Commission Act (FTC Act), which prohibits "unfair" and "deceptive" acts or practices affecting commerce. Violations of the FTC Act can result in substantial fines and other sanctions on the parties responsible for securing IoT devices—typically, the manufacturer, importer or vendor.
The FTC has brought hundreds of cases in which it sought to protect the privacy and security of consumer information. In these enforcement actions, the FTC has alleged that various companies acted deceptively in violation of the FTC Act by, among other things, failing to provide reasonable security for consumer data.
One of these cases involved a company whose vulnerable software enabled hackers to use malware that allowed access to consumers' usernames and passwords for financial accounts. The company informed its customers that updating the software would make its systems secure, but the updates only removed later versions of the software, leaving in place older software that could be easily hacked.
In order to mitigate the possibility of legal violations, the FTC has issued some recommended best practices for IoT device manufacturers. These include security by design, security risk assessments, security testing measures and security personnel practices.
The Federal Communications Commission
The FCC is seeking comment from all interested stakeholders concerning the best methods to ensure the security of the IoT infrastructure. While the FCC is seeking comment on a wide range of cybersecurity questions, it is fundamentally concerned with the roles and responsibilities each stakeholder should have. It is likely that the comments submitting in the proceeding will result in new cybersecurity rules for IoT providers. Comments are due by Apr. 24, 2017, and reply comments are due by May 23, 2017.
The most important questions for IoT device manufacturers and vendors include:
• What methodologies should be used to protect devices connected to 5G networks?
• Is current SIM technology robust enough to ensure security in the future?
• Are there any non-SIM methods that should be considered for high-volume, low-cost 5G devices?
• What mechanisms are most effective at mitigating DDoS attacks?
• Are additional standards needed to mitigate DDoS attacks?
• Should service or device providers be required to implement patch management as part of their security risk management plans in the 5G environment?
• Which 5G elements can be successfully maintained through patch management?
• How can 5G service providers and equipment manufacturers ensure that critical software updates are installed on their devices in a timely fashion?
• How do IoT devices place 5G networks at risk?
• What roles should equipment providers, Internet service providers and manufacturers play—either by themselves or in coordination—to mitigate the risks?
• What, if any, reporting requirements should be imposed?
• What are the costs of adding security features to 5G network hardware, firmware, software and applications?
Endure and Thrive in the IoT Security Tsunami
The IoT cyberattack pandemic is bad, and until IoT providers impose sufficient security measures in their devices, it will only get worse. The importance of IoT suppliers evaluating and securing the firmware in their devices cannot be overstated. Failure to do so leaves suppliers vulnerable to FTC Act violations and, soon, FCC rule violations.
Manufacturers are well-advised to understand and follow the FTC's guidelines. An experienced cybersecurity consultant can work with you to effectively implement these best practices in your company.
IoT suppliers should also remain aware and informed of the ever-changing IoT regulatory landscape. A good cybersecurity attorney can assist you with risk assessment and management, as well as ensuring compliance with the latest rules and policies.
IoT providers are strongly urged to participate in the current FCC comment proceeding. In addition to helping shape the rules, it is important to ensure that regulatory responsibility is fairly distributed. A lot of stakeholders with competing interests will be submitting comments, and they will naturally seek to ensure that compliance responsibility is shifted to others. Moreover, submitting comments will help you get your company's name recognized as an important player in the IoT industry
The IoT security tsunami is real. IoT providers must understand the specific risks to their companies and work diligently to mitigate them. IoT companies that ignore the cybersecurity threats do so at their extreme peril.
IoT attorney Ronald E. Quirk is the head of the Internet of Things & Connected Devices Practice Group at Marashlian & Donahue PLLC, The CommLaw Group, where he focuses his practice on serving the comprehensive needs of the burgeoning and complex Internet of Things industry, including contracts and commercial law, privacy and cybersecurity, spectrum access, equipment authorization, tax, regulatory compliance planning and more. His career has spanned more than 20 years, including several years at AMLAW 100 firms and the FCC. He can be reached at req@commlawgroup.com or (703) 714-1305.
Terry Dunlap is the founder and CEO of Tactical Network Solutions (TNS), in Columbia, Maryland. Clients come to TNS to leverage the Centrifuge IoT security platform, which audits compiled embedded firmware images for vulnerabilities. They also seek "white hat" security training, firmware evaluations and consulting. The staff includes former National Security Agency experts skilled in IoT, embedded firmware reverse engineering and security. Formerly, Terry worked as a Global Network Vulnerability Analyst for the NSA. He can be reached at tdunlap@tacnetsol.com or (443) 276-6990.
