Jusletter IT

IoT Cybersecurity: Voluntary and Self-Assessed?

  • Author: Daniel Ronzani
  • Category of articles: TechLawNews by Ronzani Schlauri Attorneys
  • Region: Switzerland
  • Field of law: IT-Law
  • Citation: Daniel Ronzani, IoT Cybersecurity: Voluntary and Self-Assessed?, in: Jusletter IT 4 December 2018
[1]

Do you remember the 2016 DDoS attack1 by the «Mirai» botnet2 and the 2017 cybersecurity incident with the casino aquarium? In 2016 the «Mirai» botnet hijacked Internet of Things (IoT) devices3 which led the managed DNS service4 of Dyn Inc. to break down5 It caused major Internet platforms and services (e.g. Airbnb, CNN, Netflix, PayPal, Twitter, Spotify6) to be unavailable to large swathes of web users in Europe and North America. In 2017 hackers obtained access to the servers of a US casino through the (temperature and food) sensors installed in the casino’s lobby aquarium7 Will the currently debated EU Cybersecurity Act8 (Act) prevent such IoT cybersecurity attacks in the future?

[2]

The Act, which was discussed in two trilogue meetings by the European Parliament, the Council and the Commission on 13 September and 1 October 2018, and is planned to be finalised by the end of this year, foresees, among others, the establishment of an EU cybersecurity certification framework for ICT products, systems and services.9 ICT products and services shall directly incorporate security features by design. Moreover, customers and users of ICT products need to be able to evaluate and ascertain the level of security assurance of the products and services they purchased.10 Similar to the CE certificate11, which indicates to consumers that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements, the general purpose of a European cybersecurity certification scheme is to attest that the ICT products and services comply with specified security requirements.12 For this reason three types of certifications are proposed in the Act (art. 46 [2] of the proposed Act): basic, substantial, and/or high. These certificates shall be issued by accredited institutions.

[3]

However, according to the proposed Act, not only shall certification be voluntary (art. 48 [2]), but product manufacturers or service providers shall be entitled to conduct a self-assessment for the basic certification of low complexity IoT devices that present a low risk for the public interest13.

[4]

As one might imagine, there is already advice and guidance on security for IOT devices, e.g. by IoTSF14 or GSMA15. And yet, the German Federal Office of Information Security (BSI) assumes that the majority of IoT devices are infected with malware.16 The Act will need to prove that despite voluntary and self-assessed certification of IoT devices it can close the gap to increase security.

[5]

Critique has been raised by security experts because the root cause of IoT security threats seems to include lack of security awareness, time-to-market, difficult IoT firmware updates, and of course missing (security) funding.17 These are exploited by third parties to (intentionally) cause damage. Approximately 13 billion18 IoT devices are estimated to be implemented by 2020 in the electronic consumer segment, rendering IoT even more pervasive. With such estimated roll-out numbers the IoT elements of connected devices are likely to be produced at low cost. Funding for security might therefore not rank particularly high in the production budget, potentially leaving IoT devices insecure and exploitable by (malicious) third parties.

[6]

So what can you do at the moment to avoid your IoT devices, e.g. your WLAN loudspeakers, from being hijacked? You could, e.g., use strong passwords, update the firmware regularly, try to avoid UPnP19 where possible, use VPN20 to connect your IoT device, and only trust other secured protocols, e.g. https websites.21

Daniel Ronanzi

  1. 1 Distributed Denial of Services is an attack by many distributed computers to impede the availability of one computer. Cf. MELANI, tinyurl.com/yb8ztywo.
  2. 2 Source code available on Github: tinyurl.com/zfxx48e.
  3. 3 This can literally be any Internet-enabled device, e.g. your webcams, your WLAN-fridge, your WLAN-loudspeakers.
  4. 4 Domain Name System is one of the most important Internet services because it matches web addresses with IP addresses (similar to a telephone book).
  5. 5 S. Hilton, Dyn Analysis Summary Of Friday October 21 Attack, Company News, 26 October 2016, tinyurl.com/ybdw66jc.
  6. 6 W. Turton, This Is Why Half the Internet Shut Down Today, GIZMODO, 21 October 2016, tinyurl.com/juhg5dn.
  7. 7 A. Schiffer, How a fish tank helped hack a casino, The Washington Post, 21 July 2017, tinyurl.com/y95vkbfx.
  8. 8 Proposal for a Regulation of the European Parliament and of the Council on ENISA, the «EU Cybersecurity Agency», and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification («Cybersecurity Act»), COM(2017) 477 final, Brussels 13 September 2017, tinyurl.com/ybuloe74.
  9. 9 Communication from the Commission to the European Parliament, the European Council and the Council, 16th Progress Report towards an Effective and Genuine Security Union, COM(2018) 690 final, Brussels 10 October 2018, p. 8–9 and Annex, tinyurl.com/yaq94b8n.
  10. 10 Supra FN 8, p. 8.
  11. 11 European Commission, CE marking, tinyurl.com/yd575p4x.
  12. 12 Supra, FN 8, p. 10.
  13. 13 Proposal for a Regulation of the European Parliament and of the council on ENISA, the «EU Cybersecurity Agency», and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification(«Cybersecurity Act») – Preparation of the first informal trilogue, Interinstitutional File: 2017/0225(COD), Brussels 11 September 2018, p. 68, tinyurl.com/y7pmozvs.
  14. 14 IoT Security Foundation, tinyurl.com/ybyeofgu.
  15. 15 Group Special Mobile Association, www.gsma.com.
  16. 16 ots, BSI-Chef warnt: Mehrzahl der internetfähigen Geräte ist durch Schadsoftware infiziert, Neue Osnabrücker Zeitung, 24 November 2018, tinyurl.com/yafhtj3u.
  17. 17 K. Munro, WHY is consumer IoT insecure?, PenTestPartners, 7 March 2018.
  18. 18 The Internet of Things (IoT) Units Installed Base by Category from 2014 to 2020 (in billions), Statista 2018, tinyurl.com/yaeva9tk.
  19. 19 Universal Plug and Play: set of networking protocols that permits networked devices, e.g. mobile phones, WLAN-printers and other IoT devices, to seamlessly discover each on the network and share data.
  20. 20 Virtual Private Network: technology to securely connect computers with an encrypted connection across a public network.
  21. 21 US-CERT, Alert (TA16-288A), Heightened DDoS Threat Posed by Mirai and Other Botnets, Last revised: 17 October 2017.