Exclusive: IoT device security needs to build on a standard foundation
Security has become a major issue for manufacturers and integrators who want to use the internet of things (IoT) to build more capable systems and services for consumers. The pace of change in the market has caught out many vendors as they try to keep up with demand.
The way in which many embedded-systems vendors have treated supervisor-level access control to their devices provides one example of the problems they now face. In the past, manufacturers often used simple access codes, sometimes as basic as a string of zeros (e.g. Bluetooth default PINs), to provide access to core system functions. This would make it easy for maintenance engineers to make changes to settings while ensuring it would be difficult for users to make changes inadvertently that would prevent the device from working properly. If a user needed to make a change, they could easily look the access code up in a manual.
As manufacturers moved to selling devices that could be networked for greater convenience, most saw the need to make improvements by moving to login names and passwords. Some even added security certificates so that legitimate devices would be recognised as valid by remote servers. However, to reduce the support burden, many took the decision to use default passwords for initial access and then issued advice for users to change that default once they had completed setup. In practice, few users made the changes as it was more convenient for them to keep the defaults as they were.
The consequences of this kind of approach to security became clear in the Mirai attack of 2016. Hackers were able to log into home internet connected devices remotely and install their own code on these devices. Running on hundreds of thousands of hacked devices around the world, the uploaded code made it easy for the hackers to launch distributed denial of service (DDoS) attacks against targets. Botnets such as those created by the Mirai attacks are highly visible consequences of the weakness of outdated approaches to access control and security.
With the rise of the IoT, consumers are faced with a growing range of consequences that other hacks can bring. Many services rely on personal data being stored in connected devices that could be used in identity theft and other financial crimes. The range of IoT-based services that can be deployed also means a large variety of products urgently need to have their security improved. Products affected are as diverse as children’s toys, baby monitors, smoke detectors, smart door locks, smart cameras, TVs and speakers, wearable health trackers, connected appliances such as washing machines and fridges, and smart home assistants. Seeing the scale of the problem and the industry-wide response, ETSI decided to create a standard that could be used to guide developers along a better path, such as avoiding the use of universal default passwords.
ETSI EN 303 645 to tackle the issue
The EN 303 645 standard takes an outcome-focused approach to dealing with the issue of security in connected devices. Security is a moving target and malicious actors are as resourceful as they are cunning. Using a traditional approach of prescribing specific measures is one that is likely to prove unsuccessful. Focusing on outcomes means manufacturers can use the defences most appropriate to the capabilities of the devices they create and the information they are expected to store. In terms of protective measures, the standard covers a number of areas. One is the need to keep software updated after vulnerabilities in the versions that have already shipped are found. Another area is to minimise attack surfaces and ensure code sanitises inputs to fend off attacks such as fuzzing and stack overflows.
An important aspect of EN 303 645 is that it is designed to address the entire product life cycle and not just the security of IoT devices while they are in service. Among other considerations, the manufacturer or service provider needs to provide mechanisms for users to ensure all personal data items can be deleted from the device when it is retired from service or disposed of. The standard also takes into account the requirement for a vulnerability disclosure policy. Such a policy provides a means for security researchers and others to report security issues in a responsible way and ensure that the concerns are addressed responsibly.
Though the standard itself is not intended directly mandated through law but, it may help form the basis of an enforcement regime. Within the European Union (EU), for example, EN 303 645 is a close fit for the General Data Protection Regulation (GDPR), which stipulates that any organization with access to personal data provides adequate safeguards to ensure those details cannot be stolen. The standard says device manufacturers need to ensure that personal data is well-guarded and that sensitive communications are protected by encryption. As well as supporting the aims of legislation such as the GDPR and similar laws in other states, the standard provides a basis for demonstrating the use of best practice if a vendor falls under suspicion of negligently releasing personal data.
ETSI has collaborated with CEN and CENELEC to develop the EN and wider on-going maintenance.
Meant for the entire product life cycle
The EN 303 645 standard was not intended to solve all security challenges associated with consumer IoT. During development of the technical specification that led to the standard, the ETSI Technical Committee on cybersecurity realised it would take time for the industry to gain enough experience and skills to build systems that can withstand well-resourced attacks. The focus in the standard is on the technical controls that matter most in addressing the most significant and widespread security shortcomings. First three controls alone would have prevented all major recent IoT Botnet and similar security breaches. The result is a high baseline level of security for all IoT devices. But future work will result in subsequent releases that will improve protection.
Documents that advise on best practice are being developed in addition to the work that led to EN 303 645 and its outcome-focused approach, and further aiding development in a fast-changing environment. Though the guidance to stop the use of universal default passwords is likely to remain valid as long as passwords themselves exist, the industry has shown how some practices are more insecure than others. For example, some service providers have solved the issue through the use of initial individual WiFi password stickers on pull out flaps on the rear of the routers. Such approaches strike a good balance between security and customer usability / support. This kind of best practice can be readily shared by ETSI and organizations in supplementary documents.
Going further with cybersecurity assessment
Other work will build on top of the EN 303 645 standard. The TS 103 701 document will specify test scenarios for assessing products against the provisions of EN 303 645 and so provide a basis for testing by laboratories. It will also be used to provide input to the common cybersecurity certification framework that was proposed in the EU’s Cybersecurity Act. The eventual outcome may be mandatory use of penetration and vulnerability testing in all IoT products sold in Europe.
As a response to the security issues that face connected embedded systems that will be used by consumers, EN 303 645 provides an effective starting point. Ongoing work by ETSI around this standard will help ensure the industry catches up with the hackers and, ultimately, outpace them.