Blog / Extinguishing the IoT Insecurity Dumpster Fire – Regulations that Specifically Apply to IoT Devices
IoT (the Internet of Things) is a topic I’ve talk about on several occasions. I did a newsletter that went over exactly what IoT meant. Then I did another one going over Internet-capable toys. I also did one about the FBI and their IoT Recommendations.
IoT is also something that has been covered in our TRINUS newsletters. A while ago, Dave sent one out about how WatchGuard was entering the IoT market. As you can see, it’s a topic that comes up again and again.
Devices that connect to your network have historically been things like Firewalls, switches and computers. With these sorts of devices, you expect to pay a bit more, so naturally the people who build them can afford to spend more time on building and testing.
It’s good to see bigger players, like WatchGuard, doing things in the IoT market. At the same time, it’s unfortunate. The problem IoT devices from any of the big players (Cisco, WatchGuard, Fortinet, etc.) have, is that you won’t find their equipment on a store shelf. You can only get it by going through their Sales Partners. The big guys use a different sales model then most IoT vendors.
To change gears for a second, I’m sure everyone remembers the EQUIFAX Data Breach. When it happened, one of the things I mentioned in the first newsletter about it (and repeatedly afterwards) is that there was no existing Regulation that required them to disclose the Breach at the time. Thankfully, this has changed in Canada, as well as many other countries.
So, to come back to IoT, one of the big problems is the lack of any Regulations around their development and sale. Just like Breaches in the past, no country has any kind of Regulations about this. Thankfully, this is changing. Across the pond in the UK they are working on some Regulations that specifically apply to IoT devices.
There are several things they cover, but the Big Three items appear to be:
- IoT device passwords must be unique and not re-settable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a Vulnerability Disclosure Policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive Security updates through an end of Life Policy.
Additionally, it includes a sales tag that Manufacturers apply to their packaging, to indicate their product complies with the Regulations. This is a great thing for consumers, as it gives them something to look for, along with a degree of confidence in what they’re buying.
If you remember the newsletter I did about the FBI IoT Recommendation list, some of the problems I pointed out involved how a consumer was supposed to contact a company or find out how long updates for it might continue. I was reading an article the other day that refereed to the state of IoT Device Security as a “dumpster fire.” Overall, I’m in complete agreement and I quite like that description.
With companies like WatchGuard doing IoT devices it’s good, because it’s possible to get your hands on a device that has proper Development and Security considerations. The problem, as I mentioned, is that you won’t find their stuff on the shelf in Best Buy. Their Target Market (like Cisco) are businesses, not consumers. Since they don’t compete in that market, it’s doubtful their presence is going to do anything about the overall state of IoT Security.
Hopefully, legislation like the UK is working on will change that. A company that wants to sell consumer IoT products in the UK doesn’t have to follow the rules they’re working on, but once the brand gets recognition, using it will lead to increased sales. Having UK and non-UK versions of the same device will be a hassle, so it’s likely a company would just follow those same rules and apply them to their devices globally. Also, now that the UK started to enact some IoT rules, we’ll probably begin to see other countries doing likewise.
The IoT Insecurity Dumpster Fire is currently burning happily, but it looks like there finally could be some hope of rain coming soon. Hopefully, this will improve things down the road.
If you have any questions about IoT Security, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.