IoT security: Held hostage by supply chain insecurity
You can’t sell a new car in the U.S. without seatbelts, airbags and multiple other safety components. And those components have to meet certain quality standards.
It doesn’t matter where in the world the car, or its thousands of components, is manufactured or assembled. If you want to sell it in the U.S., it has to comply with standards set by the National Highway Traffic Safety Administration (NHTSA).
Unfortunately, nothing like that applies to the cybersecurity of the billions of devices that make up the consumer Internet of Things (IoT) — everything from toasters to toys, refrigerators to smart door locks, nanny cams to thermostats.
Which is increasingly dangerous, because if hackers can take control of seemingly harmless connected devices they could harm both your privacy and physical safety. Imagine the possibilities if an attacker gets control of your home security system, or hacks into your nanny cam and spies on you and your children.
The IoT is a massive example of the principle preached at security conferences year after year: You’re only as secure as your weakest link. Most organizations that create or sell products use a supply chain of dozens to hundreds of partners or vendors. And if a single link in that chain is vulnerable, no matter where it is, that can undermine the security of the products and the organization itself.
The march of supporting technology makes it even worse. Nick Marinos, director of IT and cybersecurity issues at the federal Government Accountability Office (GAO) said he has been involved in a number of recent audits “looking at IoT and supply chain,” which have found that the ongoing expansion of connected consumer devices (especially in light of many networks soon to be using next-generation cellular protocol 5G) amplifies those risks “exponentially.”
The problem in the U.S. is that while there are any number of standards and guidelines offering specifics on better security for connected devices, “the United States has few tools to enforce its security standards on manufacturers located abroad,” says a recent paper published by the Atlantic Council.
The authors, Bruce Schneier, Trey Herr and Nathaniel Kim, say the way to fix that problem is with what they call “the reverse cascade.” While foreign manufacturers and suppliers may be beyond the reach of U.S. regulatory agencies like the Federal Trade Commission (FTC), those agencies can leverage their authority over domestic retailers or distributors to force the vendors in their supply chain to meet a security standard.
Indirect pressure
“The FTC and other domestic regulators should recognize and exploit the fact that while supply chains are global, they often terminate with a domestic distributor,” they wrote. “The reverse cascade starts with applying regulatory pressure on the distributor to sell products that adhere to a specified set of design and manufacturing standards.”
This, they note, has been happening for decades in the auto industry. Auto manufacturers self-certify that their vehicles meet NHTSA standards. The agency then audits the safety performance of new vehicles and fines manufacturers that fail to meet the standards.
That, obviously, creates an incentive for domestic manufacturers to make sure that their supply chain vendors, both foreign and domestic, are producing components that meet the standards.
Schneier, cryptographer, author, blogger, self-described “public-interest technologist” and chief of security architecture at Inrupt, has long lobbied for more aggressive government involvement in improving consumer IoT security. He has testified before Congress that market forces aren’t doing and won’t do it, largely because consumers don’t demand security when making IoT device purchasing decisions. Consumers don’t care about security “because they don’t know enough to care,” he has said.
James Paul, managing director at Synopsys, said that is still true. “The problem in that domain is that price drives everything,” he said. “Security adds some level of cost even if it’s planned from the beginning. An IoT device needs to have enough cost, or represent enough perceived risk to consumers, for manufacturers to fit some security spend into the product development lifecycle.”
Indeed, while most consumers are aware of the risks from vehicles and medical devices, and welcome government involvement in setting safety and security standards for them, they tend to worry less about consumer IoT devices, figuring nobody would want to hack their refrigerators.
The mundane can mess you up
But they ought to worry.
“Cybersecurity is now a relevant concern for even the most mundane household objects — smart electric kettles can be set to explode, while compromised smart toys might eavesdrop on private conversations. Hacked thermostats can cause property damage,” the authors wrote.
So while consumers might consider their refrigerator being hacked as a minor inconvenience, if hackers were able to “conscript” hundreds of thousands of them to launch a “flood of web traffic against key internet servers,” it could paralyze those servers. That, the authors note, is what happened when hackers used a zombie army of security cameras and DVD players to take down internet-address lookup service provider Dyn in 2016, which prevented customers from reaching more than 1,200 domains.
Even more critical is that at the center of most consumers’ connected lives is their home Wi-Fi router, which is, among other things, a “communications hub for computers and other IoT devices” on the same network. The router’s security “impacts the security of all other devices connected to it.”
And for decades, most home routers have been notoriously insecure, which then leaves every device on the network insecure.
The paper cites a study by the Cyber Independent Testing Lab (CITL) that examined thousands of firmware samples from popular router brands. The finding: “Poor security across the board and, worse, little meaningful improvement from versions spanning the last 15 years.”
The reverse cascade, they argue, could start to move the security needle in the right direction, given that at least four elements of the supply chain for router retailers are relevant to security: component suppliers, original design manufacturers (ODMs), router manufacturers, and distributors.
So, for example, a major retailer like Best Buy could decline to stock any router that doesn’t comply with security standards set by the FTC or another federal regulatory body.
That would motivate the router brands to apply pressure upstream in their supply chains to force their vendors to comply with the standards. If a vendor resisted, the company could threaten to move to a competitor.
“The FTC’s initial action on the U.S. distributor drives a cascade of actions up the supply chain, helping to overcome legal and geographic boundaries to influence behavior globally,” they wrote.
Anything but simple
It sounds like it could be both practical and effective. But, of course, it isn’t simple. Marinos warns that simply taking an inventory of every element of a supply chain can be daunting. “While the benefits of interconnected devices are tremendous, it comes down to the realities of how complex their supply chains are,” he said.
“You have to know everything that is connected to your network and where all those components are supplied from. That’s really tough to do, and why security is often tacked on at the end, which is why many vulnerabilities can go undetected and exploited.”
And Emile Monette, director of value chain security at Synopsys, called the reverse cascade proposal “a necessary step” but insufficient on its own. He said really improving IoT security will also require major education throughout the market, arguing that it is not only consumers but also vendors and manufacturers who don’t understand the “unique risks” of the IoT.
“IoT risks are manifested and magnified through their connectivity — when others connect vulnerable IoT devices to a network on which you rely for services, then you are also put at risk without any say in the matter,” he said.
“Consumers need to be educated about the unique risks and given information that will help them make meaningful tradeoff choices between security, other aspects of performance, and cost in IoT purchases,” he said.
There are also some logistical hurdles to clear to launch the reverse cascade. First, where is the standard for security going to come from? Who, or what, is going to establish it?
The authors have some suggestions. One is international cooperation among the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) together with the National Institute of Standards and Technology (NIST, and the EU Agency for Cybersecurity (ENISA).
An agreement among those entities that “a single IoT security standard was their focus, and an adequate guide for secure design and manufacturing, would support efforts such as the reverse cascade to bring pressure on non-expert distributors and IoT firms alike,” they wrote.
They also said the U.S. Cyberspace Solarium Commission’s proposal for a National Cybersecurity Certification and Labeling Authority (NCCLA) “would fit well with this recommendation.”
Labels need muscle
They suggested that a label along the lines of UL or Good Housekeeping that verified the security of a device might prompt consumers to start choosing the safer alternative. “Properly labeled products could help mobilize consumers against insecure alternatives,” they wrote.
But without the heavier hand of government behind it, labeling has so far not proved all that powerful. More than four years ago UL announced the launch of a new Cybersecurity Assurance Program (UL CAP), a series of standards designed to “offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.”
Yet there is pretty much unanimous agreement that the consumer IoT remains riddled with vulnerabilities.
Trey Herr, co-author of the paper and director of the Cyber Statecraft Initiative at the Atlantic Council, called UL CAP “a good sign of what’s possible” but agrees that it needs some government leverage. “Government has a good role to play in helping drive adoption rather than dictating standards,” he said.
So what are the chances of something like the reverse cascade happening in the U.S.? Is this the kind of proposal that will catch the attention of members of Congress, who are currently consumed with a pandemic and an approaching presidential election?
Schneier said he is not aware of any pending legislation. But Marinos said there is definitely interest in the topic. He cited more than half a dozen pending bills on IoT security, including the Internet of Things Cybersecurity Improvement Act of 2019 in the Senate and the IoT Readiness Act of 2019 in the House. Of course, neither is close to being enacted.
Monette also noted that earlier this year CISA (within the DHS) published “Internet of Things Acquisition Guidance,”which “identifies factors to consider before purchasing or using Internet of Things devices, systems, and services.” He acknowledged, however, that the guidance “essentially leaves the onus for IoT security where it is today — caveat emptor.”
UK taking the lead?
One encouraging sign is that there is pending action on the issue elsewhere in the world. Infosecurity Magazine reported last week that proposed legislation in the UK would create an enforcement body for IoT devices with the power to “temporarily ban sales while a product is tested, permanently ban insecure products and serve recall notices.”
“Under the proposals, it could also be granted the power to apply for a court order to confiscate or destroy a dangerous product or issue fines against the manufacturer.”
Both Herr and Schneier are encouraged by the move. “Though we don’t get into detail about specific sanctions, it’s important that penalties be sufficiently sharp to shape behavior, and blocking sales certainly does that,” Herr said. “IoT security isn’t just about consumer security anymore, it’s a national security issue.”
Schneier offered a note of caution. “This seems like a move in the right direction, but the devil is in the details, of course,” he said.
