Tech giants warn IoT vendors to get real about security
Broadband Internet Technical Advisory Group waves baseball bat at slapdash Thing-makers
The heavyweights behind the Broadband Internet Technical Advisory Group (BITAG) are sick of Internet of Things (IoT) startups foisting insecure rubbish on consumers, and have fired a report that looks like a stern warning that IoT bandwagon-hoppers need to get their houses in order.
The group – which counts vendors like Cisco, six US network operators, Google and even Disney in its members – makes the welcome (if obvious) statement that the IoT creates a new type of customer, a new type of victim, and vendors need to shoulder responsibility for them.
“The nature of consumer IoT is unique in that it can involve non-technical or uninterested consumers”, the report (PDF) notes.
Add to that the challenge in even figuring out what gadgets are on the home networks, the fact that device makers don't even bother with “rudimentary security and privacy best practices”, and are easily compromised, and the IoT looks nightmarish to BITAG.
Spelling out what the Internet of Things is habitually getting wrong, the BITAG report says:
- Devices ship with outdated and vulnerable software, and vendors don't care about product lifecycle or patch management; and
- Communications are often unauthenticated and unencrypted, and home users don't know how to isolate insecure devices from the rest of their networks;
BITAG's recommendations reiterate what's becoming a consensus among serious players, but will nonetheless be ignored by a significant chunk of the Internet of S**t ecosystem.
The probably-doomed recommendations include strong authentication and encryption, eliminating insecure default accounts, and secure and automated patch management.
Its encryption recommendations are extensive, with BITAG calling for protection of configuration communications; device-to-controller sessions; and local IoT device storage. Devices should authenticate all communications, software changes, and polling messages asking for data, with each device using unique (and replaceable) credentials.
Devices should shut ports and services they're not using, and developers should stick to actively maintained libraries.
So users don't shiver in the dark or get locked out of their homes, the group also says products need to operate without connections, in case the broadband service fails or the vendor's cloud collapses.
+Comment: We don't propose to adumbrate the whole 43 pages of the report: nearly everything in it is sensible, and should have been how IoT devices were designed from the start.
Getting Thing developers on board will be a different matter, but given BITAG's membership, perhaps the report also represents a warning shot to slapdash developers.
As well as Comcast (whose VP of technology policy and standards Jason Livingood co-edited the 24-contributor report with Princeton University's Nick Feamster), network operators in BITAG include AT&T, CenturyLink, Charter Communications, Level 3 and T-Mobile – the companies best placed in the world to kick bad traffic off the Internet.
Having Cisco, Google, Mozilla and CableLabs among the many contributors to the report also helps.
The Register reckons BITAG's members need to prepare some kind of action beyond a self-regulating IoT industry group (a recommendation in the report).
The industry is going to resist, because even implementing one of the report's many sets of recommendations – that the industry imitate enterprise IT's systems of vulnerability reporting, updates, life cycle management, secure updates and the like – falls entirely outside the economic model of a consumer gadget.
The report describes the problem. If the vendors won't act on the solution, will the rest of the tech sector? ®