BlackBerry security chief sounds alarm over IoT insecurity, wants govt’s to start slapping wrists
Security buffs everywhere agree that, although governments lack the knowledge needed to regulate cybersecurity, they still should pick up the baton and use their influence to make the future safer for all of us. And according to one Alex Manea (CSO at BlackBerry), governments should at least step up their game in the IoT space.
“I think there needs to be better government regulations around IoT,” the BlackBerry security chief said in a keynote speech at the annual Urban Security and Resilience Conference in Toronto.
“One of the things I would like to see from an IoT regulatory standpoint is have a set of regulations that every device that connects to Internet has support, accepts and can load software updates. Because the reality is every piece of software is going to have vulnerabilities,” Manea argued.
“What worries me in my mind is IoT fundamentally changes the threat model in terms of security.”
And he’s right. In the rush-to-market philosophy employed by most IoT vendors looking to grab a slice of the inter-connected pie of the future, many devices leave the factory inherently vulnerable to attack. Some have default passwords hardcoded in them, making a brute force attack a walk in the park for bad actors. Others lack encryption, opening the door to man-in-the-middle attacks for eavesdropping or exfiltration of sensitive data – perhaps even blackmail or extortion.
Users are partly to blame, for snatching these products off the shelf one after the other without doing their homework. Sometimes, it seems the only viable solution to securing a smart home is to employ a dedicated IoT security hub. However, in the long run, governments share the responsibility of regulating this uber-connected future we’re headed for.
As reported by IT World Canada, BlackBerry researchers have shown how a simple thing like an Internet-connected kettle can be misconfigured and, once linked to a corporate Wi-Fi network, leveraged to grant attackers unencrypted internal business traffic.
The publication further notes that the Online Trust Alliance has published an IoT Trust Framework for vendors to follow. And the UK is trying to lead by example, by setting out the government’s work to help ensure consumer IoT products have security built in from the start – like the GDPR will soon require from everyone who collects and processes EU customer data.
Manea said companies on tight budgets and margins making products as inexpensively as possible pose a serious threat to the IoT ecosystem.
“There’s many other security best practices that I think would be more mandated, things like mutual authentication between all sources, making sure we encrypt all data on devices and encrypt all data in transit as well. There’s a number of different layers of regulation we could have. I would love to see a general framework for IoT security, which doesn’t exist right now in any part of the world,” the Blackberry CSO concluded.
Interestingly, a study of 1,000+ adults conducted in the U.S. by Market Strategies International a few months ago revealed that even regular customers want the government to do its bit in regulating the IoT landscape.BlackBerry CSO government government regulation iot security smart home