Security-by-design: the inside-out approach to combat IOT breaches

The world is fast moving towards an era of constant and seamless connectivity led by technologies like 5G and IoT networks. There are already billions of IoT devices that are online around the world, while new devices are being connected every single day. This is a network that’s growing fast and rather furiously. A study by the UK thinktank WRAP states that there will be an average of 10 to 15 IoT devices per UK household by the end of 2020. While this does promise a sharp rise in the IoT-led industry, it doesn’t guarantee it’s going to be all good.

Just as IoT devices offer visibility and control over our home and office environments – heating, cooling, energy usage, security controls, etc. – they can just as easily transfer this control to the bad actors around us.

To understand this concern, ‘Hello Barbie’ is a prime example of privacy issues connected to smart devices. Children could speak to the doll, and their audio files would be encrypted and sent to an online speech analysis platform.

The platform would then generate an appropriate response for Barbie to communicate with the child. But the parents never knew what companies had access to these recordings and how they were used. 

In February 2017, 2.2 million audio files were compromised and held for ransom using microphone-enabled teddy bears. The same month, the German government banned a doll called 'My Friend Cayla' that came with such poor security that hackers were actually able to take control and speak through the dolls.

But these scenarios are nothing compared to what's happening now.

The security firm F-Secure released a report in September 2019, which showed a record of nearly 3 billion attacks tracked by its honeypots during the first half of 2019. Researchers found that 26% of all attacks targeted telnet ports, mainly used by IoT and connected devices.

This is a clear indication that while IoT networks offer seamless connectivity, they are anything but secure. The crux of the problem lies in the fact that IoT devices are distributed, unmonitored, and physically unprotected.

So even if they are connected to a secure wi-fi network, bad guys can still tamper with IoT devices, which renders software-based security inadequate to protect them from integrity and hacking attacks.

Antivirus protection is essential, but when it comes to a device's integrity, hardware and firmware are seen as more trustworthy. 

Software is usually predisposed to design and implementation flaws and might even fail to recognise an advanced form of malicious code. By contrast, hardware security is hard to intercept and tamper with.

Let’s do a situation analysis here

If you wait to think of what information our IoT devices constantly collect from us – our conversations, health data, financial information, maybe even providing eyes to hackers inside our homes using webcams – you’ll realise the extent of increased privacy and security risks.

Concerned authorities are putting forward many solutions to prevent information leak and tampering attacks. However, the cybersecurity industry is still catching up with the requirements of the latest technological developments.

As of now, IoT networks are susceptible to dual security risks – device integrity and data breach through network vulnerabilities.

Device security

One solution is to prevent device tampering and vulnerability issues by making the devices more secure by design. 

When devices are not designed with high-speed and unhindered connectivity in mind, they are not manufactured to ensure the security requirements for these networks. 

But if manufacturers can design devices with built-in security features that meet stringent privacy and protection standards, it’d be a lot easier to manage pertinent risks.

That’s why soon after California introduced legislation to address IoT security, the UK is also looking to implement similar laws to protect both consumer networks as well as business infrastructures. 

Back in 2018, the UK government had already introduced ‘Secure by Design Code of Practice’ to ensure IoT security by pushing for strong by-design cybersecurity features into smart devices. HP Inc Geo, Centrica Hive, and Panasonic were some of the first companies to support the decision.

Last year in February 2019, the European Telecommunications Standards Institute (ETSI) announced the first global industry standard for consumer IoT Security in line with the Code of Practice discussed above.

Many industry experts, security professionals, and product manufacturers are on-board with the decision. Digital Minister Matt Warman says that this pro-innovation regulation will build more confidence in modern technology,

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people’s privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought.”

Nicola Hudson, the Policy and Communications Director at the NCSC, also welcomed this decision in a prepared statement, 

“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed.”

According to the new code of practice, the IoT and consumer smart devices manufacturers will have to comply with the government's security requirements. Vendors that want to sell their products in the UK will have to make sure that their devices have unique passwords and that customers can’t restore their devices to default factory settings. 

In addition, the law will also have manufactures assign a public point of contact where consumers can report vulnerabilities so that they can be addressed in real-time. 

Manufacturers will also need to publicly declare the duration for the device security updated at the point of sale. This will help consumers understand what to expect from the device’s built-in protection in the long run. 

Maximum transparency and improved user controls

While the Security by Design Code proposes useful measures for Iot device integrity, it doesn’t address the attack landscape spread over the networks. That’s what OneLogin’s VP of Solution Engineering, Stuart Sharp, believes as well,

“The proposed regulations do nothing to ensure that the mechanisms underpinning IoT communication are secure.”

Therefore, governments must implement robust measures to safeguard consumer privacy as part of the devices' normal operation. IoT devices should have strong cybersecurity built into them.

For instance, CLTC UC Berkeley proposed improved user control and management in their whitepaper series concerning Privacy and the Internet of ThingsThese controls include building transparency through:

Privacy management – collection, usage, and dissemination of personally identifiable information as well as withdrawal of consent to store data that has already been collected.

Identity management – how people are identified within systems, how they authenticate to log in, and who has the authorization to see which information.

Notifications – including just-in-time (real-time), periodic, context-dependent (situation-based, i.e., privacy risks in a group activity), and layered notifications.

As online systems evolve in the future, privacy requirements will change as well. However, as long as there is proper legislation covering individuals’ rights against the misuse of information, some level of privacy will always be observed.

Final thoughts

While laws should be there to protect consumers, you can’t put a price on caution. There are four key elements to save a person’s privacy: device security, network security, software security, and vigilance. Of which vigilance is arguably the most important one.

Consumers should be conscious of what information they are sharing and at what platform. For instance, people can avoid having a private conversation or discussing sensitive business or financial matters within hearing range of a smart device that can “listen,” such as Alexa and Siri. 

As technologies become more advanced, laws and policies must also be formed at a corresponding pace. Otherwise, we can end up doing more damage to our societies than good.

Hajra Khan is technology writer and an environmentalist, currently working at CimaTech. She has extensively researched the field of disruptive technologies and is keen to see how they shape up in the realm of information technology.

In partnership with