In October, a massive denial-of-service cyberattack on internet infrastructure Dyn knocked huge swathes of the web offline for millions of Americans and Europeans, from Netflix to Twitter. It was the largest attack of its kind in history — and it was powered by an army of hacked webcams and smart devices with shoddy or non-existent security.
In short: The “internet of things” is a nightmare — a fundamental threat to the security and safety of the web.
But Google and other tech giants now have a plan to fix it.
On Tuesday, the Broadband Technical Advisory Group (BITAG) published a report on the security and privacy of the IoT, — including recommendations on how to improve it. If you haven’t heard of BITAG, its a tech industry body formed back in 2010, which includes Google, Cisco, AT&T, T-Mobile, Comcast, Mozilla, and others. (We first saw its report on Engadget.)
While IoT device hijacking for use in DoS attacks is disturbing, it’s not the only way the tech is being abused.”Several recent incidents have demonstrated that some devices do not abide by rudimentary privacy and security best practices,” BITAG’s report says.
“In some cases, devices have been compromised and allowed unauthorised users to perform Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorised access or control, induce device or system failures, and disturb or harass authorised users or device owners.”
Problems with devices range from leaking Wi-Fi passwords to not being update-able, from having hardcoded default passwords to outdated and vulnerable firmware.
So that fancy internet-connected kettle you just bought might be spying on you, or leaking your home Wi-Fi password, or attacking computer networks thousands of miles away. Not ideal.
To try and solve this, BITAG has laid out a number of recommendations that it wants IoT manufacturers to abide by. Some of these are pretty basic (pointing to the scale of the problem), including shipping devices with “reasonably” current software without known vulnerabilities, and that manufacturers should follow best practices for encryption.
The group also wants to ensure that devices continue to work even without cloud or internet support, that privacy policies should be easily understandable, that there should be clear mechanisms for reporting bugs and vulnerabilities, and that devices should be resettable. (You can read BITAG’s full report below.)
BITAG’s not a regulatory body, so it doesn’t have any power to force manufacturers to make changes. But there’s a growing chorus of voices calling for government action, and it may add extra weight to these efforts.
“I’m really divided on what I think about regulation, but if it’s needed somewhere, this might be it,” F-Secure chief research officer Mikko Hypponen said in October. “We’re regulating things on appliances anyway. They should not be able to give you an electric shock, they should not catch fire, they should not leak your Wi-Fi password either — I think that would be a good thing.”
However, many of the hijacked devices used in recent attacks were made by a Chinese electronics company — raising the possibility that even if American manufacturers upped their game, some overseas companies looking to cut costs might not bother.
But this discussion is nonetheless long overdue, and may also help to raise awareness of the issues among consumers. Because right now, any attempt to change the status quo is very welcome.
Here’s the full announcement and report from BITAG:
- Top IoT Companies to Watch & Invest In
- Best IoT Conferences & Expos
- IoT Wearable Devices & Technology
- How the IoT Will Affect Security & Privacy
- Ultimate IoT Research Bundle
Business Insider Emails & Alerts
Site highlights each day to your inbox.