What happens when smart device manufacturers don’t pay (enough) attention to basic security principles? How do we support, upgrade, and patch existing devices when security issues are identified after they’ve hit the market? These are some of the questions we tackled at the kickoff meeting of the US NTIA “Multistakeholder Process: Internet of Things (IoT) Security Upgradability and Patching” held on 19 October in Austin, Texas.
The Internet of Things, or IoT, has been widely referred to as the “Internet of Insecure Things.” This has been brought into sharp focus in recent weeks as the Mirai botnet was apparently used to launch high profile and very disruptive Distributed Denial of Service (DDoS) attacks. These attacks were notable in that compromised IoT devices were the dominant part of a botnet used to send unprecedented levels of traffic.
The source code for the Mirai botnet was subsequently released to the public and it turns out that it is not particularly sophisticated. In large part, it takes advantage of well-known default usernames and passwords and simply scans the Internet looking for devices it can log into and infect. While in the past this has been an issue with home routers, IoT brings another dimension to the problem space since many of the devices on the market and in use also use well-known default passwords, many of which cannot be easily changed.
This is an example of what happens when vendors ignore basic security principles, which need to be part of development and design processes from the beginning and all the way through until products reach the market. But the responsibilities do not end there in terms of supporting, upgrading, and patching them in the field. The Internet is a vast and complex ecosystem, and as these recent attacks have demonstrated very clearly, security choices made by vendors can and will have profound impacts on us all. It is the responsibility of all vendors in this space to ensure that they are good Internet “citizens.”
More to the point, security is a never-ending process and not simply a “once and done” part of the design cycle. In essence it is an ongoing arms race with those who would seek to exploit Internet-connected devices to do harm. Note that “harm” can extend far beyond simple DDoS attacks when it comes to IoT since many healthcare, building automation systems, and SCADA (Supervisory Control And Data Acquisition) systems used in industrial and utility settings can cause real and significant damage to life and property if misused.
As security issues and vulnerabilities become known, they need to be corrected by installing patches or upgrades to the software and firmware running these devices. In many cases in the IoT this is extremely challenging due to a variety of factors, including:
- difficulty in accessing devices, whether physically or through the network
- limited capacity on the device, including memory and processing power needed to receive and perform the upgrade or patch
The Internet Society (namely Olaf Kolkman, Chief Internet Technology Officer, and myself) was pleased to participate in the kickoff meeting of the US NTIA “Multistakeholder Process: Internet of Things (IoT) Security Upgradability and Patching” held 19 October 2016 in Austin, Texas. It was chaired by Allan Friedman, Director of Cybersecurity Initiatives, NTIA Office of Policy Analysis and Development.
This meeting spurred excellent discussion among a diverse group of participants, and led to the formation of five working groups (detailed below). This meeting was well aligned with the Internet of Things Software Update (IoTSU) workshop  held earlier this year, and represented a good first step toward stakeholders working together to solve common problems.
- We need to think about unexpected consequences of the behavior, and misbehavior, of devices when they are part of a bigger ecosystem
- There are challenges in different ways of defining and describing the issues, which lead to potential area of ambiguity
- While there are and have been efforts to address device security, upgradability and patchability haven’t received a lot of attention until recently
There was a general recognition of the seriousness of this issue among the meeting participants, and consensus in the room that the stakeholders want and need to self-regulate to avoid what all agreed would likely be regulatory and/or legislative intervention that none would like. Thus there was significant incentive to move, and to move quickly if at all possible. Time will tell if this is successful, but we are cautiously optimistic.
The workstreams coming from the initial meeting:
- Review of existing standards and Initiatives: What are existing standards and tools for IoT security upgradability that can inform or should be part of this initiative?
- Maximum capability and minimum expectations: For each defined class of device, what is the least we might expect and the most we might expect for upgradability?
- Communicating IoT upgradability: This working group will examine ways for IoT product makers to describe the why/how/what/who of updatability to buyers.
- Incentives and Barriers: How do we foster greater adoption of good patching and updating practices?
- Shared open upgrade framework: What are the benefits, requirements, barriers, and existing components of a shared open upgrade framework to support smaller producers or end-of-life products?
The group is working on arranging a next meeting in early- to mid-December 2016, location not yet determined. The Internet Society welcomes this effort and we will be monitoring it as it progresses, but we will not be active participants in it.
This is intended to be an open and inclusive process. If you are a producer, retailer or consumer of “Things” your voice is important, so please consider participating.
Meeting website, including unedited notes taken in real time and information about how to participate in the workstreams: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
 Internet of Things Software Update (IoTSU) workshop site, including position papers:
Draft workshop report: