EU to Introduce IoT Cybersecurity Legislation
Recognising the challenges presented by the wide-scale implementation of IoT devices, the EU is to introduce new cybersecurity legislation targeting manufacturers and developers of IoT solutions. What challenges do IoT devices present, what will the legislation aim to achieve, and how can engineers better defend their devices against cyberattacks?
What challenges do IoT devices present?
With each passing day, the number of IoT devices around the world continues to rise. Not only are the numbers increasing, but IoT technologies are being integrated into devices that typically wouldn’t have an internet connection. One such example would be thermostat controls; homes have traditionally relied on mechanical rotary devices to set the temperature of a room, but the inclusion of internet capabilities allows these thermostats to dynamically adjust depending on certain conditions. Another more humorous example is the IoT kettle, whereby a pot of tea can be brewed remotely (of course, not serving any real purpose other than for novelty).
But for all the benefits found in IoT devices, they present serious dangers concerning cybersecurity. Despite computing devices such as desktop PCs, laptops, and mobiles being equally vulnerable, the sheer number of IoT devices dwarfs personal devices, making them a valuable target for launching DDoS attacks and mass surveillance.
At the same time, IoT devices are also more likely to go unnoticed as they are not commonly interfaced with, and this allows for IoT devices to go for extended periods without receiving firmware updates (that may be essential for protecting against cyber criminals). It is also possible for manufacturers of IoT devices to be ignorant of growing cybersecurity concerns and lack any incentive to push updates to vulnerable devices.
Finally, IoT devices are often perceived as being a non-threat due to their limited capabilities, but this is far from the truth. In fact, it could be argued that a single unsecured IoT device on a network is the single biggest threat to that network. If a cybercriminal can access that device, it is possible for network credentials to be obtained, whereby the attacker can then gain entry to the wider internal network.
EU to announce new IoT cybersecurity legislation
Recently leaked documents from the EU reveal intentions to announce a new piece of legislation that aims to combat the growing security issues surrounding IoT devices. The new act, called the Cyber Resilience Act, is due to be announced in September 2022 and will force companies providing IoT solutions to comply with the new rules or face legal consequences, including sale bans and daily fines for not fixing issues.
According to the leaked document, it has been estimated that the new legislation will save companies over $290bn per year by protecting companies and preventing the need for paying ransoms, network maintenance, and rebuilding infrastructure after major attacks. Also, leaked information shows a study that only half of the manufacturers (a survey of 23,000 hardware manufacturers and 370,000 software developers) use adequate protection methods.
To help raise protection levels, manufacturers will be required to assess the cybersecurity risks of their products and then take appropriate actions to fix known issues. Furthermore, companies that identify product issues in the field will have 24 hours to contact the EU cybersecurity agency ENSIA. Finally, those that fail to comply with the proposed regulations will face either a 15 million euro fine or 2.5% of global turnover.
How can engineers better protect IoT devices?
While there are numerous methods for protecting IoT devices against cyberattacks, it is important to remember that most hacks are opportunistic. It is rare that a hacker breaks encrypted traffic (one gigabyte should do the trick if anyone gets the reference), reverse engineers code, and then launches a complicated attack to obtain sensitive information. Instead, most attacks are similar to when a career criminal walks by a house with its front door open.
For example, a wireless network can deploy complex passwords and robust security measures, but a single IoT device that can be accessed remotely with no credentials storing network keys in unencrypted flash memory immediately completely undoes all those security features. Another example would be a device with an admin login but uses admin and password as the username and passwords, respectively.
As such, the first act that must be done by engineers is to entirely eliminate default passwords and use random credentials for each device during manufacture. This way, no two products sold in a shop can have the same credentials, and this alone is an effective method for defending IoT devices.
The second method that engineers can implement is allowing for firmware updates and only accepting firmware updates from a server with authentication. This update should be turned on by default and difficult to disable so that consumers don’t accidentally turn it off. As such, any vulnerabilities can be pushed onto devices quickly.
The third method is for engineers to try and avoid the use of common hardware platforms that have been designed to be hacked, such as the Raspberry Pi. While these devices are great for prototyping and development, their easy hardware access can make them vulnerable to attack. In the case of the Raspberry Pi, there is no secure boot method meaning that users can swap the SD card for their own (and thus gain access to the internal network), or worse, can steal the SD card and copy the data for their own purposes.
Overall, engineers merely need to spend time identifying the obvious methods for accessing a device. Using secure sockets, enabling OTA updates, and disabling default login options are far more effective than trying to devise creative protection methods that may or may not protect a device from some exotic attack.
Gloss