UK government proposals for IoT security neglect risks posed by consumers

U.K. government plans to secure the internet of things will have limited success as they ignore the risk posed by consumers, according to a leading security expert.

By Tom Macaulay May 16th 2018

U.K. government plans to secure the internet of things will have limited success as they ignore the risk posed by consumers, according to a leading security expert.

The new proposals for IoT security were laid out in a policy paper titled Secure by Design (PDF). It includes a proposed code of practice with cardinal guidelines such as avoiding default passwords for devices and services, implementing a vulnerability disclosure policy, and keeping software updated to provide ongoing support.

The government expects these guidelines to be followed by all of the IoT stakeholders it identifies, but consumers are conspicuously absent from its list of stakeholders.

"Leaving out the consumer as a stakeholder takes away the need or the opportunity for the vendors to consider what happens to their device once it's out in the field," Sammy Migues, principal scientist at Synopsys and creator of the Building Security In Maturity Model, tells Computerworld UK.

Some consumers customise their devices to suit their preferences, which could create vulnerabilities in both their own devices and anything in the ecosystem to which they are connected, from enterprise networks to autonomous cars that communicate with one another on the road.

Malicious actors could exploit the vulnerabilities that consumers create in personal devices to gain an entry point to attack mission-critical systems and national infrastructure.

The risks will grow as the number of IoT devices proliferates.

Gartner estimates that there will be around 20 billion internet connected devices worldwide by 2020, while WRAP forecasts the UK household ownership of smart devices could rise from an average of 10 devices per household today to 15 by 2020.

"We might look back and say well they did it to themselves, but they're also doing it to others," says Migues. "They're breaking the ecosystem. Taking the owner out of the ecosystem and out of the stakeholder thinking is kind of a big deal.

"By not considering how people will change their devices, we can't really come up with a threat model that says if some of the devices operate the way they're supposed to and some don't, have the consumers made them more vulnerable or less vulnerable? What is the issue if they all stop talking to each other?"

Software security in IoT devices

Another issue with the proposals is that they do not include guidance on writing secure software. 

The code of practice suggests a number of ways in which security can be added to existing software, such as authentication methods, but Migues says that it overlooks the vulnerabilities in the underlying software code.

"Security software is not the same as software security," he says. "If you write software that's vulnerable to attack, it doesn't matter how many features it has, it's still going to be vulnerable to attack.

"So at some point, we need to understand that features make software useful, but software security makes software trustworthy and gives it high assurance and allows it to operate in areas where critical things or important things or safety things are more important than features.

"I probably need more security in my pacemaker than I need more features. I don't also need it to be an MP3 player. Although it would be pretty cool if my pacemaker was also an MP3 player, I probably need it to have more software security than security software."

Migues is also concerned that the proposals do not take account of the implications that could arise if IoT monopolies develop that could hold an enormous range of personal information.

"One of the reasons we call them internet of things devices is that they talk to each other and they talk back to the back end, so in the process we're creating new repositories of personally identifiable information (PII) that may not actually be covered by any current law or even have been discussed in accordance with any kind of ethical standards," he says.

"Even if I delete your name, address and phone number, if I know everything else about you, all the metadata, of everywhere you've been and everything you've bought and everything you've said online, I may be complying with the letter of the law, but someone who steals that information has way more than you ever intended for them to have."

What's next for the government plans for IoT security?

The government began to review IoT security practices in early 2017, months after the Mirai malware had compromised hundreds of thousands of IoT devices and used them as a platform to launch distributed denial of service (DDoS) attacks that blocked access to some of the world's most popular websites.

The attack was the largest DDoS attack ever recorded, according to analysis by cloud computing company OVH, one of the victims of the attack.

A draft version of the government's resulting policy paper was published in March. The government is now seeking input from stakeholders to refine the Code of Practice ahead of the publication of the final version in summer 2018.

Migues believes that there is there is still time to improve the proposals before they become official policy.

"What I would hope is that the folks who wrote this particular report from the UK government would take some suggestions both from people who are on the technical end of IoT and then also form the public who are on the receiving end of what IoT is going to bring about," he says.

"In other words, it's going to be all their data that's being captured. People have much more concern about that these days than they did even in the recent past, and they're starting to get quite worried about what that's going to mean."