Security by design & Code of Practice for consumer IoT security

This article that is not just meant for the IT and GDPR nerds, but for everyone to see how complicated Internet of Things operate; considerations to make before embracing all the SMART HOME solutions.

There are a number of reasons why we should welcome this UK initiative published 14th. of October 2018.

Let us just take a general look at WHY standards are important?

Standards provide:

• Safety and reliability – Adherence to standards helps ensure safety, reliability and environmental care. As a result, users perceive standardized products and services as more dependable – this in turn raises user confidence, increasing sales and the take-up of new technologies.
• Support of government policies and legislation – Standards are frequently referenced by regulators and legislators for protecting user and business interests, and to support government policies. Standards play a central role in the European Union's policy for a Single Market.
• Interoperability – the ability of devices to work together relies on products and services complying with standards.
• Business benefits – standardization provides a solid foundation upon which to develop new technologies and to enhance existing practices. Specifically standards:
• Open up market access
• Provide economies of scale
• Encourage innovation
• Increase awareness of technical developments and initiatives
• Consumer choice - standards provide the foundation for new features and options, thus contributing to the enhancement of our daily lives. Mass production based on standards provides a greater variety of accessible products to consumers. ETSI.org

I say, standards should also be a driver for trust between the manufacturer and the consumer

For example, when I go shopping for an outdoor lamp, I look for the IP standard that informs me how water proof it is.

Standards can help us evaluate security aspects when connecting an IoT, whether via WiFi or SIM card. I have mentioned a few myself in articles here at LinkedIn, e.g.: WPA3 and TLS 1.3 that differs vastly from previous standards, without comparison.

On the use of IoT devices, here is an article from July 2018 by TREND MICRO

"Trend Micro recently conducted a global survey of IT and security decision makers. When asked about the top consequence to IoT security, many would have expected it to be data loss.

However, the top consequence named with 52% of respondents was “Loss of Customer Trust.”

IoT has a physical component that is unusual in the all cloud and software IT world. And if that physical component has a vulnerability or is attacked, that physical component can’t be re-imaged or overwritten. Your customer will be staring at a physical embodiment of the insecurity of your product or service. Even with the fastest supply chain and delivery service, they’ll be staring at it and cursing it longer than even a slow software patch."

"However, IoT does share one characteristic with IT – poor security at time of implementation. In the survey, 42% cited security as an afterthought in their IoT strategies."

TrendMicro

Code of Practice for consumer Internet of Things security

This is what I have been looking for when I express my concern for the SMART HOME market. The terminologi used is 'smart home solution', only thing is, security wise it is not smart. We do need regulation before we push smart home devices/products on the market.

"Home is where your app is"

"Home connect app and Amazon Alexa"

"The IoT represents a new chapter of how technology becomes increasingly common in our homes, making people’s lives easier and more enjoyable. As people entrust an increasing amount of personal data to online devices and services, the cyber security of these products is now as important as the physical security of our homes.

The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia. The Code was first published in draft in March 2018 as part of the Secure by Design report."

Test the guidelines on your babyalarm, video camera, radiator and room thermostat, stove, oven, watermeter, printer etc.

GUIDELINES

1. No default passwords

All IoT device passwords shall be unique and not resettable to any universal factory default value

Many IoT devices are being sold with universal default usernames and passwords (such as ‘admin, admin’) which are expected to be changed by the consumer. This has been the source of many security issues in IoT and the practice needs to be eliminated. Best practice on passwords and other authentication methods should be followed4.

Primarily applies to: Device Manufacturers

2. Implement a vulnerability disclosure policy

All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

Knowing about a security vulnerability allows companies to respond. Companies should also continually monitor for, identify and rectify security vulnerabilities within their own products and services as part of the product security lifecycle. Vulnerabilities should be reported directly to the affected stakeholders in the first instance. If that is not possible vulnerabilities may be reported to national authorities5. Further details of the different approaches to take in different circumstances are included in the explanatory notes. Companies are also encouraged to share information with competent industry bodies6.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

3. Keep software updated

Software components in internet-connected devices should be securely updateable. Updates shall be timely and should not impact on the functioning of the device. An end-of-life policy shall be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons for the length of the support period. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.

The provenance of security patches should also be assured and they should be delivered over a secure channel. The basic functions of a device should continue to operate during an update wherever possible, for example a watch should continue to tell the time, a home thermostat should still operate and a lock should continue to unlock and lock. This may seem primarily a design consideration, but can become a critical safety issue for some types of devices and systems if not considered or managed correctly.

Software updates should be provided after the sale of a device and pushed to devices for a period appropriate to the device. This period of software update support shall be made clear to a consumer when purchasing the product. The retailer and/or manufacturers should inform the consumer that an update is required. For constrained devices with no possibility of a software update, the conditions for and period of replacement support should be clear.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

4. Securely store credentials and security-sensitive data

Any credentials shall be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.

Reverse engineering of devices and applications can easily discover credentials such as hard-coded usernames and passwords in software. Simple obfuscation methods also used to obscure or encrypt this hard-coded information can be trivially broken. Security-sensitive data that should be stored securely includes, for example, cryptographic keys, device identifiers and initialisation vectors. Secure, trusted storage mechanisms should be used such as those provided by a Trusted Execution Environment and associated trusted, secure storage.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

5. Communicate securely

Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage. All keys should be managed securely.

The use of open, peer-reviewed internet standards is strongly encouraged. Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

6. Minimise exposed attack surfaces

All devices and services should operate on the ‘principle of least privilege’; unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not used and code should be minimised to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking account of both security and functionality.

The principle of least privilege is a foundation stone of good security engineering, applicable to IoT as much as in any other field of application.

Primarily applies to: Device Manufacturers, IoT Service Providers

7. Ensure software integrity

Software on IoT devices should be verified using secure boot mechanisms. If an unauthorised change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function.

The ability to remotely recover from these situations should rely on a known good state, such as locally storing a known good version to enable safe recovery and updating of the device. This will avoid denial of service and costly recalls or maintenance visits, whilst managing the risk of potential takeover of the device by an attacker subverting update or other network communications mechanisms.

Primarily applies to: Device Manufacturers

8. Ensure that personal data is protected

Where devices and/or services process personal data, they shall do so in accordance with applicable data protection law, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Device manufacturers and IoT service providers shall provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service. This also applies to any third parties that may be involved (including advertisers). Where personal data is processed on the basis of consumers’ consent, this shall be validly and lawfully obtained, with those consumers being given the opportunity to withdraw it at any time.

This guideline ensures that:

i. IoT manufacturers, service providers and application developers adhere to data protection obligations when developing and delivering products and services;

ii. Personal data is processed in accordance with data protection law;

iii. Users are assisted in assuring that the data processing operations of their products are consistent and that they are functioning as specified;

iv. Users are provided with means to preserve their privacy by configuring device and service functionality appropriately.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers Retailers

9. Make systems resilient to outages

Resilience should be built in to IoT devices and services where required by their usage or by other relying systems, taking into account the possibility of outages of data networks and power. As far as reasonably possible, IoT services should remain operating and locally functional in the case of a loss of network and should recover cleanly in the case of restoration of a loss of power. Devices should be able to return to a network in a sensible state and in an orderly fashion, rather than in a massive scale reconnect.

IoT systems and devices are relied upon by consumers for increasingly important use cases that may be safety-relevant or life-impacting. Keeping services running locally if there is a loss of network is one of the measures that can be taken to increase resilience. Other measures may include building redundancy into services as well as mitigations against DDoS attacks. The level of resilience necessary should be proportionate and determined by usage but consideration should be given to others that may rely on the system, service or device as there may be a wider impact than expected.

Primarily applies to: Device Manufacturers, IoT Service Providers

10. Monitor system telemetry data

If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies.

Monitoring telemetry, including log data, is useful for security evaluation and allows for unusual circumstances to be identified early and dealt with, minimising security risk and allowing quick mitigation of problems. In accordance with Guideline 8, however, the processing of personal data should be kept to a minimum and consumers shall be provided with information on what data is collected and the reasons for this.

Primarily applies to: IoT Service Providers

11. Make it easy for consumers to delete personal data

Devices and services should be configured such that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.

IoT devices may change ownership and will eventually be recycled or disposed of. Mechanisms can be provided that allow the consumer to remain in control and remove personal data from services, devices and applications.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

12. Make installation and maintenance of devices easy

Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability. Consumers should also be provided with guidance on how to securely set up their device.

Security issues caused by consumer confusion or misconfiguration can be reduced and sometimes eliminated by properly addressing complexity and poor design in user interfaces. Clear guidance to users on how to configure devices securely can also reduce their exposure to threats.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

13. Validate input data

Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices shall be validated.

Systems can be subverted by incorrectly formatted data or code transferred across different types of interface. Automated tools are often employed by attackers in order to exploit potential gaps and weaknesses that emerge as a result of not validating data. Examples include, but are not limited to, data that is:

i) Not of the expected type, for example executable code rather than user inputted text.

ii) Out of range, for example a temperature value which is beyond the limits of a sensor.

Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

Have you ever looked at a device as a SMART SPEAKER like the Huawei AI Cube (that is not a cube shape). I bet you are about to buy one for Christmas. Before you do, read my post Hellere fed HiFi end WiFi Try to count the number of unique identifiers you will be tracked via, and write them in the comments field :-)

My conclusion is short

IoT is complicated, and it is our responsibility as consumers to try to understand what are the implications for our security and Privacy. I also believe that our academia and institutions (e.g. Kommunernes Landsforening, Alexandra Institute, BSS, Erhvervsministeriet, Dansk Industri, Dansk Erhverv in DK) -must relate to these issues before they recommend SMART HOMES to the public. And to all the private IT companies offering solutions to many customers, -I hope you will make use of these principles and many more. Its all about trust and data privacy....

It will be interesting to see how many manufacturers will officially support this code of practice, so far it is only two.

..........................................................................................................................

STANDARDS On a sidenote I would like to mention that some ISO standards can be releant as well when considering the use of Internet of Things, as mentioned in following text: A high-level summary of standards on the horizon for the connected world 11 September 2018: Hazards and Safety Requirements of Internet of Things (IoT).

Further reading:

Report Code of Practice for Consumer IoT Security

Consumer Guidance for Smart Devices in the Home

The Privacy Challenge in IoT ETSI STF 547

Improving consumer IoT security: work by the UK Government and ETSI

ENISA's effort to foster IoT cybersecurity

Security for Battery Efficient IoT

ETSI TC Cyber Feedback from the ETSI Security Week

The security challenge in IoT

TLS 1.3 is going to save us all, and other reasons why IoT is still insecure

#SecuritybyDesign #SecuritybyDefault #PII #SmartHome #IoT #ePrivacy #Cybersecurity #Standards #Codeofpractice #Dataethics