IoT Security … Meet RED … and Security By Design and By Deafult

We had an open day over the weekend, and I rolled-out my CCTV device, some toys and a few other gadgets. With every device we have tested…
Photo by S. Tsuchiya on Unsplash

IoT Security … Meet RED … and Security By Design and By Default

We had an open day over the weekend, and I rolled out my CCTV device, some toys and a few other gadgets. With every device we have tested, there has always been a major security and/or resilience weakness. It seems as if security is an afterthought in device design, and that ease of setup (and the cheapness of devices) seem to be key drivers.

One of the devices I demo is Cloud Pets, and where it was found that virtually every Bluetooth-enabled device can connect to them by Bluetooth. Also, it was found that every conversation between parents and their children had been recorded and stored in an unprotected way on the Amazon S3 cloud:

I also demo my cat feeder, and which failed to secure the streaming video from the camera. Along with this, it failed to feed the pet when the network connected failed:

Here is part of the demo that I give in my presentations:

With this, I discovered that my cat feeder was actually broadcasting this feed from my IP address, so that anyone who knew my IP address could connect to it. I’ve thus never used the cat feeder since I recorded this (apart from in demos, of course). And here is my wifi-enabled kettle, and which has Telnet enabled as a service, and with a default password of “000000”:

If you don’t know, Telnet is a service which allows someone to remotely log into a device.

Met RED

And so, in many cases, the carrot hasn’t worked with IoT devices. To overcome this lack of progress, the EU is adopting new cybersecurity standards for these devices. This includes:

  • Improved network resilience. With the Mirai bot, the Facebook DNS service went down because nearly half a million CCTV cameras were compromised, and which created a massive Botnet. Each of these cameras — and which were provided a white label products to many vendors — has a simple default password on them.
  • Better protect consumers’ privacy. With this manufacturers will have to improve the protection of personal data on the device and within the infrastructures to which it connects to. This will include the protection of children's rights to privacy.
  • Reduce the risk of monetary fraud. This is likely to add measures that reduce the opportunity for fraud related to the devices.

This is based on a commissioned report [here]:

It analysed whether existing data privacy and IT regulations could cover the risks associated with IoT devices and whether there could be a voluntary approach. With existing GDPR approaches there has been a strengthing with the e-PD (e-Privacy Directive) in GDPR, and the associated e-Privacy Regulation (e-PR). But, overall, these approaches have not had time to be properly implemented. Along with this, there is little in the way of a legal framework to combat cyber fraud. With a voluntary approach, there would be an adoption of codes of practices, such as defined by ENISA in the EU, and NIST in the US. Along with this, the report outlines that much of the existing regulations perhaps focus more on wired connections, and less on wireless-enabled ones.

In the end, the report recommends a regulatory approach and which would be implemented with the Radio Equipment Directive (RED). This could lead to the improved quality of devices, and a move away from inexpensive devices which have poor security integration. The cheap devices often get ‘dumped’ quickly by consumers, and thus an improvement of security standards could lead to fewer devices being discarded. Within RED, there should also be continuous monitoring of security threats and vulnerabilities around wireless-enabled devices, and for devices to be tested against these.

The implementation of the measures is scheduled for 2024 and with a transition period of 30 months. The main changes are likely to be that every device will have a unique password, and that encryption will be used for communications and for the storage of data on the device.

And the final recommendation is … that devices should be …

secure by design and by default

Conclusions

The carrot hasn’t worked … now meet RED … the stick!

Here are the related documents on “Impact Assessment on Increased Protection of Internet-Connected Radio Equipment and Wearable Radio Equipment:

DocsRoom - European Commission
DocsRoom - European Commissionec.europa.eu