14-12-2020 | | By Sam Brown
The US is closer to passing a new law that would force branches of the government only to use IoT devices that meet a minimum level of security. Why is this law being brought in, what requirements does it suggest, and how can designers keep their IoT devices safe?
The Internet of Things, or IoT, is an entire industry of products that generally incorporate devices with basic internet capabilities. For example, basic data sensors that record ambient temperature and air pressure that report this data back to a remote server are considered IoT devices. While desktop PCs and laptops may have internet capabilities, they are generally not considered as being IoT devices.
While ethernet controllers and Wi-Fi dongles have existed for a while, it was the introduction of modules designed for use with microcontrollers that enabled the development of the IoT sector. Furthermore, the number of IoT devices on the market has exponentially increased thanks to the development of SoCs, which can integrate all the major parts of a design into a single package. This reduces the cost, and therefore the ability to accelerate development in the area.
However, the flooding of IoT devices onto the market has had a negative consequence; security. Many devices, even till this stay, still lack basic security requirements, and often as a result of the negligence of the designer. While a single insecure IoT device is unlikely to cause harm, the many billions around the planet create an entire network that is easily hacked and taken control of. This has been seen with the many IoT attacks in the past, including Mirai, Kaiji, and Ripple 20.
To make matters worse, employees of government institutions are unlikely to be aware of the dangers of IoT devices, and those bringing devices in, or attempting to set up their own infrastructure can lead to potential hacks from cybercriminals. As a result, there has been a growing movement to ensure that devices used by government institutions follow a strict set of safety rules.
The proposed law that now has senate support would require that all branches of the federal government utilise only IoT devices that bear at the least a minimum set of security measures. While two other states in the US already have IoT legislation, this will be the first law of its kind to regulate the use of IoT devices due to the potential security threats they can present.
While it is not clear what the minimum safety requirements for IoT devices will be, we know that these standards will be laid out by Nation Institute for Standards and Technology which will include development, identity management, patching, and configuration. The same institution has already released a standard for core security, NISTIR 8259A, as well as a list of security recommendations for those involved in the IoT industry, NISTIR 8259.
The standards laid out in NISTIR 8259A include the use of long unique identifiers, the ability to update software while restricting unauthorised updates, the use of cryptographic modules, and the ability to disable local and wireless network access. Other legislation, such as those passed by California, also mention the use of unique names, non-common default passwords, and the automatic forcing of users to change the password when first installed.
There are many aspects to a product that needs to be considered when designing with security in mind. For example, components that utilise tamper pins should be considered to prevent attackers from attacking the circuit physically. Designers can also consider the use of hardware security modules that allow for encrypted memory channels and stored data.
With regards to the product as a whole, the first step to improving the security of an IoT device is to ensure all communication is encrypted such as the use of SSL/TLS when communicating with a remote server. The second step is to ensure that there is no reset system, but if there is, any personal data is removed during the reset.
From there, a designer should ensure that their product does not utilise common or default passwords. While it may be inconvenient, every device should have a unique set of login credentials as well as a unique name. Once installed by a user, the system should then ask for new credentials in the case that the current credentials have been compromised in transit.
All data stored on a device that is personal to a user should be either stored on-chip, or encrypted off-chip using a proven cryptographic method. Some designers try to use their own cryptographic methods, but these are proven to be ineffective more times than not. If a system has the ability to use updates and upgrade its firmware, then it must utilise secure boot methods to ensure that only authorised firmware is launched. Furthermore, devices should not be allowed to use old firmware when new versions that provide patch fixes become available.
Other methods that designers can incorporate into their products include the removal of unused ports and services, the removal of peripherals not in use, disabling of remote connection methods such as SSH, and the ability to warn users that the system is either compromised or may be vulnerable to compromise.