Challenges of creating better IoT security
So, five easy steps to better security and you are good to go? Not so much.
First, as any mainstream consumer could tell you, those are not all easy. Jennifer Janesko, senior consultant at Synopsys, said it is “a good step that the FBI is offering a laundry list of actions that users can take to protect themselves,” adding that each one makes sense, given that each addresses a recent set of attacks. “But the majority of the recommendations are not going to be actionable by the typical end user.”
As an example, she cited “Janis,” a family member who has numerous connected devices in her home—“router, laptop, tablet, security camera, smart vacuum cleaners, multifunctional devices, smart television, etc.”
Janesko said when she visits Janis, a few “innocent” questions about the functioning or performance of those devices guarantee that “I will spend an entire day taking her network or device apart, performing upgrades, maintenance, or security scans, and then fixing things to be more secure.”
“Day to day, she does not worry about how her network is configured, and she adds and removes devices according to the manufacturer instructions and/or the wizards that are presented when you first turn a device on.”
Obviously, not everybody is fortunate enough to have an IT expert in the family. So if Janis were like the rest of us, how would she do with that FBI list? Probably not so well, Janesko acknowledges.
Start with the firmware update. While many have heard the term, most do not understand what firmware is or even if their devices contain it. “If Janis gets explicit instructions from a manufacturer to update her firmware, because she has registered it, she will do it,” Janesko said. “But it is highly unlikely she will do it because the FBI says so. They did not provide step-by-step instructions, and each device update process is different.”
And searching online to find instructions on how to update firmware can be “overwhelming,” she said, given that user manuals frequently cover multiple devices. “The instructions may not exactly match the firmware version that is running on the actual device. Hence, it will be intimidating.”
Then there is changing the default password, probably the most practical and feasible recommendation on the list. But even that comes with its own complications. Some devices may not even offer that option.
Beyond that, “users may not be aware how to do this on the device. And aside from reusing their own passwords, how do they select a password that is strong and hasn’t already been reused?” Janesko said. “Users need a generic way to generate strong passwords for these devices, like using passphrases and/or a generic, cross-platform tool. It would also make sense to suggest for them a minimum length for the passwords/passphrases.”
And while multifactor authentication is “much, much more powerful than password protection, there are some barriers,” she said. Among them, “you have to have an additional device. This means Janis would need to go out and buy it or order it online. Unless she is forced to do so, she is not going to do it. “We need an agreed-upon path for authentication. It must be easy,” she said.
Creating segregated networks
Probably the least feasible recommendation for the average user: Create a guest home network. A bit like expecting car owners to do their own brake jobs.
“Janis will not be able to do this on her own,” Janesko said. “She will have to contract someone to do it.”
Jeff Wilbur, technical director at the Online Trust Alliance (OTA), argues that if users work at it, they can become more capable in managing the security of their devices, even if some of the recommendations from the FBI “may be out of the norm for most users, and require some research to perform the first time.” He said the recommendations are, in general, “practical and straightforward, and in line with those made by us and others.”
Still, as Janesko notes, once people have spent money on a device, struggled through the setup and configuration, downloaded the accompanying app, and configured it, they are not likely to follow recommendations they do not understand.