Internet of Things (IoT) devices are predicted to grow at a phenomenal rate, high enough to require more bandwidth than currently available via current wireless technologies, leading to a requirement for fifth generation (5G) mobile networks. Many households, and businesses, already have IoT devices in the form of Amazon Echo interactive smart speakers, doorbells with video cameras, baby monitors, smart thermostats, routers to provide support for these devices, as well as lots of industrial control systems (ICS) which help run all kinds of machinery and sensors. Even though these devices have been around since 2003, according to recently published research by Cyber ITL (CITL), the security of these devices has not improved significantly.
This lack of security improvements stands in marked contrast to personal computers (PCs) which, over the last few generations, have improved significantly even if they still have a way to go. Security improvements by PC hardware and software manufacturers have arguably outpaced the ability and desire of organizations that rely on these devices to optimize these security improvements, likely because the victims of security implementation failures generally are external. Another factor is the extensive reuse of code so that new products rely on old (insecure) code that never gets improved.
The complexity of cyber technology makes it difficult to find security vulnerabilities unless the vulnerabilities are minimized by following secure coding practices. Looking particularly at IoT devices, this is evidenced in CITL’s paper, which suggests that security gets worse as more devices are released. Similarly, updates to IoT software are more likely to reduce security than to improve it. This trend presents an increasing risk as IoT devices become even more common and essential to safety and security.
If IoT manufacturers do not have an incentive to make their devices more secure it is likely that the scale and ubiquity of the internet could be used to identify security vulnerabilities. The Underwriters Laboratories (UL LLC) is a global safety organization that verifies the safety of numerous devices including electrical devices, smoke detectors, building products, ICS equipment, plastics, wire and cables, etc. If an organization like UL, or the European Agency for Cybersecurity (ENISA), implemented a set of high-level standards for cybersecurity, focused on preventing vulnerabilities affecting confidentiality, integrity and availability in IoT devices, much could be gained.
Rather than making each vendor responsible for finding and fixing their own code, it is possible to crowdsource vulnerability discovery. UL or ENISA could mandate that; as a condition for receiving the UL or ENISA security marking, IoT vendors must put their devices online and provide bug bounties for vulnerability reporting. ENISA or UL could manage a directory of devices that are online for penetration testing as well as a verification mechanism to ensure that the first reporter of a vulnerability receives the bounty. The IoT vendors would have to fix the vulnerabilities that are discovered and leave their devices online until a certain timespan has passed with no new vulnerabilities discovered and all known vulnerabilities are fixed.
The prevalence of software recycling means that testing old IoT devices provides a lot of information about current vulnerabilities. This shifts the burden for delays in releasing new IoT devices increasingly on the manufacturers and their speed in fixing vulnerabilities. Similarly, because many software packages are used by multiple IoT vendors, a fix by one vendor could lead to security improvements by many. Naturally, the bug bounties would have to be large enough to provide adequate rewards for the discoverers and an incentive for the IoT manufacturers to minimize vulnerabilities.
The UL or ENISA could establish a bug bounty scheme that indexes bounties by severity. Schemes such as those used to rank vulnerabilities in the Common Vulnerabilities and Exposure (CVE) schema already provide a template for ranking vulnerabilities and could easily be used to scale bug bounties. Alternately, or to encourage voluntary participation in a ENISA or UL run scheme, governments could establish a similar scheme in which manufacturers of IoT devices exploited by hackers are penalized according to the scale and duration of the vulnerability.
Just as the scale and connectivity of the internet makes devices accessible from sites far and near, so it is possible to take advantage of this network effect to secure them. Call it Deliberate Exposure Testing for eXploits, or DETOX.