Podcast: Protecting the Internet of Things
Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.
Beau Woods: So for a long time there was a concept that people said, "IoT devices, no one would ever hack an IoT device. That's ridiculous. There's no money in it," right? But now we've seen that adversaries can gain things from IoT devices.
Vince Jasaitis: Government plays an incredibly important role in all of this. The market is certainly trending towards more secure IoT devices, but governments and action from governments can really accelerate that.
Ali Wyne: Welcome to Patching the System, a special podcast for the Global Stage series, a partnership between GZERO Media and Microsoft. I'm Ali Wyne, a senior analyst at Eurasia Group. Throughout the series we're highlighting the work of the Cybersecurity Tech Accord, a public commitment for more than 150 global technology companies dedicated to creating a safer cyberworld for all of us.
Today we're talking about the Internet of Things, billions of devices around the world that are network-connected, collecting, and sharing data, smart watches, smart refrigerators, even light bulbs you can turn on using your phone. Smart device manufacturing is a big business. It could top half a trillion dollars globally by 2028.
Ali Wyne: But this new world of products also brings new risks both for privacy and security, that are rarely considered as you switch to these so-called smart devices. And some consumers have already felt the real impacts of this, experiencing vulnerabilities, and even attacks, on Internet-of-Things devices, from smart home security cameras to smart coffee machines, to implantable heart devices.
And given these new risks, important discussions need to be had about what responsibilities individuals and organizations have to protect us against these vulnerabilities. I recently spoke to Analaura Gallo, the head of the Secretariat of the Tech Accord, about the dangers that smart devices and appliances can present.
Annalaura Gallo: They can be used to steal data, but also for illicit surveillance. So a house theft or heist could happen because some attackers are checking what's happening within the house, through a smart webcam, for instance.//They could also be used in order to obtain a ransom. This is a bit less likely, but we have seen cases like that. So attackers could hack into IOT devices, slow them down or shut down certain functionalities, and put them back in order only when they receive the ransom. But the most concerning situation is when these devices are used as an attack base to infect more machines. They are a bit of an entry point to then conduct larger scale attacks.
Ali Wyne: So let's dive in now to talk about threats and solutions. Making the environment safer for consumers will take a coordinated effort on the part of industry, experts, and individuals, and here to help us think about better ways to safeguard ourselves today, we have two guests.
First up, Vince Jesaitis, who has deep industry knowledge on these products as a senior director of government affairs at Arm, a semiconductor and software design company. Vince, Welcome.
Vince Jesaitis: Thank you for having me, Ali.
And in addition to that industry perspective, we're excited to have with us Beau Woods, someone who could hack into your own devices if he wanted to. Luckily for us, he's a cybersafety advocate looking to protect us all through his work at I Am The Cavalry, an all-volunteer initiative driving cybersecurity for public safety. Beau, it's great to have you.
Beau Woods: Great to be here, Ali.
Ali Wyne: Vince, let me start with you. So it's estimated that there are going to be more than 40 billion Internet-of-Things devices globally by 2025, so just in three years. So how quickly is this landscape of connected devices changing for consumers?
Vince Jesaitis: I would say it is changing incredibly rapidly, much like everything else over the last two years. The pandemic has accelerated the trend towards the adoption of IoT, both in the workplace, also at home. If you think about some of the solutions that were discussed early in the pandemic on how we could return to normal office life, it involved use of lots of new technology to trace employees, measure temperatures when they're coming in, contact trace, et cetera.
Vince Jesaitis: Similarly, as people were spending more time in the house over the last couple of years, there are a lot of benefits that can come from automating tasks through IoT devices, whether it's using smart light switches and bulbs that can be set to certain schedules to turn on and off, which can save electricity, connected garage door openers, smart doorbells, smart security cameras around your house, they can just provide additional security and comfort.
A good example of this that I could give from my own experience is, a couple of weeks ago we were traveling on a family vacation, and we have a smart thermostat in our house. And I started getting a notification through my smart phone that the furnace in our house had been running, but the temperature wasn't increasing. And so I was able to turn it off remotely.
What had actually happened was, there was a power outage in our neighborhood which had caused some sort of breaker to switch in our HVAC unit. If we didn't have that smart thermostat, the furnace could have been running for two or three days while we were still gone. It could've led to additional parts being worn out, or worst-case scenario, it could have created some sort of electrical damage, or potentially, fire.
So a lot of the benefits of IoT are around convenience, but I think that's one example of how they can help provide real financial and potentially safety benefits as well.
Ali Wyne: Beau, let me turn to you. When we talk about a consumer Internet of Things cyberattack, what do we mean specifically? So tell us, in an Internet of Things cyberattack, what has happened and what's possible.
Beau Woods: Yeah. As we heard, there are huge potential benefits from IoT devices, but there can be some downsides, right? So accidents and adversaries can cause any of the things that you could do with that device to happen without your knowing it, or without your commanding it to do so.
Beau Woods: Software adds complexity to the systems, and complexity adds potential for things to go wrong in novel and unexpected ways. So using the smart thermostat example, adversaries can connect to it, then they could potentially turn on, or off, the thermostat, maybe tamper with some other things to cause a potential safety issue.
Beau Woods: And in fact, with some of the smart thermostats, there was a software update that happened to them - or a configuration change - that was remotely pushed down from the manufacturer, that turned several dozen, or several hundred, off in Chicago in winter. And you can imagine, if you don't have heating in Chicago in winter, it can get pretty brutal.
Ali Wyne: Oh, absolutely.
Beau Woods: Basically, anything that the device can do, that you want it to do, adversaries could potentially trigger that, or accidents due to the complexity and the increased complexity of those systems.
Ali Wyne: So, Vince, I want to come back to you, and I want to build on what Beau was just saying right now. So talking about... There's a kind of inherent duality to these Internet of Things devices. So on the one hand, of course, they can potentially confer a very wide range of benefits, but as Beau was just saying, in parallel to those benefits are also a set of vulnerabilities.
And so I want to probe a little bit more to ask, what is it about these devices that's special, and in particular, why exactly are these IoT devices different from just, say, regular computers? And why is, say, a smart doorbell, or in your case a smart thermostat... Why are those devices harder to secure than the devices that we're used to?
Vince Jesaitis: Maybe I'll start by talking about a traditional personal computer or smart phone. If you think about all the tasks you perform on one of those devices, they're incredibly complex. You could do word processing, video editing, web browsing. Each of those tasks requires a lot of compute power.
On the other hand, most IoT devices do one or two things. Their functionality, and therefore their computing power is generally exceptionally lower than you would find in a traditional personal computer or smart phone.
I also think, in the early stages of the IoT, let's say probably about a decade or so ago, when companies really started adding some level of computing capability to everyday devices, like a thermostat, or a doorbell, there were probably several misconceptions, or maybe miscalculations by the companies that started doing that.
I would say first, and Beau might disagree with this, but a lot of developers of those products probably didn't think a connected light bulb would be that attractive to hackers.
Secondly, I would say there was probably a belief around that time, rightly or wrongly, that security was expensive and time-consuming, and for someone that just wanted to get a product to the market, it was something that they didn't want to think about, or incorporate the cost to build that capability into a device.
Thankfully, I would say that the perspectives on both of these points have changed, and we're seeing a lot of progress in the security features and functionality built in to IoT devices. But historically, unfortunately, that has not necessarily been the case.
Ali Wyne: So, Beau, let me come back to you, and I kind of want to ask you the flip-side of the question that I just put to Vince. From your perspective, as we were introducing you as someone who could hack into our devices if you wanted to, but thankfully, you're on our side and helping us to secure our devices.
So Vince talked a little bit about why it's harder to secure these devices, and I wonder if you could help us understand what kinds of qualities make these devices easier to break into than say, traditional computer products?
Beau Woods: Yeah. I mean, IoT devices are basically computers with extra capability. As Vince mentioned, they have oftentimes limited computing power in them. But there's a, I think, broader concept here, which is that because the consequences are different, adversaries have had to figure out different ways to take advantage of it, right.
So for a long time there was a concept that people said, "IoT devices, no one would ever hack an IoT device. That's ridiculous. There's no money in it," right? But now we've seen that adversaries can gain things from IoT devices, potentially by using something like ransomware, or use them as a gateway to something else, where in a couple of cases, like a fish tank thermostat, I think, has been a vector to attack other computer systems.
It was just basically, they are exposed, and the adversary was able to use it to relay into other systems they cared more about. And because of that, the adversaries that will go after IoT devices will be different. They're not always going to be the kind of criminal element that you might think of. There's a lot of trends of breaking into IoT devices with really common passwords, and then using those IoT devices as kind of a digital army for distributed dial of service attacks, or for other types of attacks that can take down digital infrastructure on the internet.
Beau Woods: Oftentimes, we see that for nuisance, or to extort those websites, to give them money to keep them online, or to staunch the DDoS attack. And you also have a situation where a lot of these devices, they may be built to be put in place for a year or two, but they can last much, much longer.
So the home router that you have, if you're like most people, it's probably something that you've got for 10, 15, or more years in some cases.Think about a fridge. You're probably not going to replace your fridge every two years like you do your phone. So whatever security models we adopt for the IoT devices, and especially early IoT devices didn't have very good security models, you'll be stuck with that as a consumer for many, many years, and often in ways that are directly connected, or directly exposed to the internet so that you can do things like monitor or manage it remotely from your phone, or from another location.
So it's a combination of the limited computing power, limited ability to defend in some ways, the long time-scales, the practices that were in place when that device was put on the market, or put into your home, as well as the fact that most people treat IoT devices as kind of like set-it-and-forget-it. They install it once, and then don't ever mess with the configuration settings, or perform updates as we know that you should in any kind of good maintenance plan.
Ali Wyne: I think clearly, and we talked about this at the outset of our conversation, I think the attraction of these devices is only going to grow. I think that the market for these devices is only going to grow. But I trust that not everyone who's listening today, not everyone has the level of expertise that you and Vince do on sort of the intricacies of these devices.
So for some of the lay consumers who are listening, they buy a connected oven, or a connected dryer, or a connected thermostat... How can we lay consumers, how can we tell if those IoT devices that we purchased, how can we tell if they're safe?
Beau Woods: Yeah. That's a really good question, and it's something that I've worked on quite a bit with a bunch of other people as well, on trying to come up with some kind of simple rubric, or a simple easy-to-use way to tell one device from another device. And not all devices, and not all manufacturers, give you the information you need to be able to make a smart decision at buying time, or to be able to operate it in a secure and safe manner.
But some of the things that you can look for as an average buyer is things like supported lifetimes. So how long does the manufacturer say they'll support the device for? Is it able to get updates, even?
Secondly, you'll want to be able to change the password on the device. So, some devices say you can never change the password. It's hard-coded into the device, or it has a default that hard-coded in, so that when you reset it, it goes back to an insecure state, or a less secure state.
So you can look for devices that can easily change the password, and that have a unique default password, something that it goes back to. It's different from every other device that's sold so that adversaries who figure out the default password can't just compromise hundreds of thousands of these at once.
Third, you can look and see whether or not they have something like a coordinated vulnerability disclosure policy, a way for the device manufacturer to take help from security researchers or others who may find a vulnerability in a device, and report it in good faith to the company so that it can get fixed.
Ali Wyne: Vince, let me turn to you now. So Beau start giving us a sense of some of the solutions that companies are thinking of. Could you tell us a little bit more about what are some of the concrete steps that companies are taking to enhance the security of these consumer devices?
Vince Jesaitis: Absolutely. I would say, as in other areas of computing, there's a recognition that security cannot be an afterthought. It really needs to be addressed at every step in the development process. The Cyber Tech Accord, along with I Am the Cavalry, the World Economic Forum, and Consumers International, in February of this year released a statement calling on companies to adopt a lot of the principles that Beau was talking about in response to the last question, when they're developing IoT products.
Arm, itself, the company I work for, have developed a certification program called, PSA Certified, which measures against these criteria. If you look at the work that's being done by the Department of Commerce, and the European Telecommunications Standards Institute... Beau mentioned what's going on in the UK, or at least he mentioned the sentiment there. The government's acting in that space, as well.
All of this activity is really aligning with the direction that the industry is going, which is to ensure that there is baseline security capabilities in all IoT devices that are coming to market, and really putting market pressure on companies to address security when they're developing these products.
Ali Wyne: Beau, I want to come to you now. So you heard what Vince just said in terms of what Arm is doing, what other companies are doing in this space. What are some additional steps you think companies should be taking to enhance the security of these products, and what gaps do you currently see between where we are in terms of the security of these devices, and where we need to be?
Beau Woods: I'd say there's a huge variability across manufacturers, and across devices from the very, very small organizations are very nascent in their security journey, all the way up to some that are already doing a great job. There's a William Gibson quote, "The future is here. It's just not very evenly distributed." And I'd say that the future of security in IoT devices is here. It's just not very evenly distributed.
And so by getting word out, by helping manufacturers understand what the best security organizations are doing, I believe that we can help them get farther, and more mature on their security curve, as well as reduce overall costs to their manufacturing and design and manufacturing processes, but also the overall economy, right, as cybercrime and other types of cyberattacks have a toll on the economy.
Building security in from the start is a lot cheaper in the long run than trying to put it on after the fact, if you even can. And there are some capabilities that you absolutely can't do after the fact, right. If you don't have a software update mechanism, the way you have to update the software is, buy a new device, and that's not a great option for consumers.
So I think there's a lot of things that manufacturers can do. I think that the statement of support that we put out in February, that Vince mentioned, lays out some of those things and under each of those, there's a technical implementation companion in some of the standards that exist out there.
Ali Wyne: Both you and Vince have gotten at this point already, but the burden doesn't just fall on manufacturers. There also is a certain responsibility that lies with consumers, themselves. What are some additional steps that individuals can take to secure their products? How would you sort of apportion the responsibility for IoT security between companies and individuals?
Beau Woods: Yeah. That's a tough question. There's many different places where individuals might be able to make a different choice, or take a different action. First is at the buying stage, right. Buying things that are more securable, which can often mean they have more features, more capabilities. There's a benefit of going with some of those devices that can do a little bit more sometimes, because they have better security models.
They can read up on product manufacturer websites, talked about the product and the security of the product, and then when they get the device home, and they're operating it, they can set it up securely. A lot of manufacturers now have a wizard or a walk-through to securely set up your device. For those that don't, that could be an extra step that they could take. But at a certain point, there's not a lot that the consumer can actually do. It kind of falls on the manufacturer to provide things that are built in for them, or if they don't have a huge degree of technical sophistication, that's got to come from the manufacturer, and you can't always assume that the buyer's going to be tech-savvy enough to really set something up in a secure way.
Ali Wyne: That makes sense. So Vince, let me come back to you. So we've talked now about the responsibilities of manufacturers. Beau just talked about some of the responsibilities that lie with consumers. And of course, there's at least one other critical player in this space, and that is government.
What role does government play, specifically, with regulations? How should they interact with companies? How should they interact with consumers? But talk with us a little bit more about the role that government regulation, specifically, plays in enhancing the security of consumer IoT devices.
Vince Jesaitis: Yeah. Government plays an incredibly important role in all of this. The market is certainly trending towards more secure IoT devices, but governments and action from governments can really accelerate that. And I would say, historically they've not done that. Really, over the last three to four years you've started to see more governments across the globe take action, and I'll give you a couple of examples of that.
The US government, in particular, has been very active over the last three to four years. Congress passed a law that requires the Department of Commerce to come up with security capabilities for IoT devices that are going to be purchased and used in government facilities. In coordination with that, a entity within the Department of Commerce that does a lot of technical and standards work came up with a baseline cybersecurity IoT device requirement, and it lists a lot of the capabilities that we discussed earlier. But it's a good metric for companies to use, to measure against.
I would also add that as part of the Biden administration's executive order on cybersecurity last year, they required the Department of Commerce to come up with a consumer IoT security label that's easy to understand, so that when customers go into a store and they're shopping for an IoT device, they can pick up a package and one, know that security was addressed in some form or fashion while the device was being developed, but also requires some sort of way for a consumer to go to a website and get more specific information about how that IoT device is secured.
In a similar vein, the UK and the EU are moving in this direction, as well. By and large, I would say they're following the work from the European Telecommunications Standards Institute. And it's not just a US and European movement, either. Singapore has also adopted an IoT labeling program based on that same ETSI work. And South Korea, for instance, as well, has released IoT security guidance.
So there's a lot of similarities across all this activity, but it's a really positive thing to see because it's going to raise the floor and provide the consumers more security, and ultimately more confidence in these products that they're buying.
Ali Wyne: I want to now come back to the Cybersecurity Tech Accord, which is a main focus of this series that we're doing. And so the Cybersecurity Tech Accord, working together with I Am The Cavalry, working with Consumers International... So these are groups representing consumers, hackers, and industry. They brought together businesses, civil, society, and government stakeholders, and came up with a list of five things that all of those stakeholders should be doing to make consumer IoT devices safer.
Beau, could you tell us a little bit about that list, and why is it so important, especially coming from stakeholders who might not always have the same perspective?
Beau Woods: So that list was based on kind of a growing consensus around those five, that those five capabilities are things that should be provided by manufacturers and IoT devices.
We first came together to start working on getting this statement of support out. We wanted to make sure that it was kind of a whole-of-society viewpoint, that it wasn't just one type of group or another that was showing support. We wanted to really show that there is a large and growing body of people and organizations that have worked deeply on these problems, and that have found that there are some common implementable approaches to make more secure securable devices.
And so working with a lot of companies, manufacturers of the devices, manufacturers of the components, retailers, security companies, individual security researchers, people in different governments, we felt that that was a large swath of society, and the consumer groups, as well, a large swath of society that all had come to the same agreement. And so we felt that it was a really good way to just raise the visibility of these five practices, of these five capabilities, so that more manufacturers could begin adopting them, so that more policy makers could have visibility, so that more consumers could look at them and say, "How can I evaluate those five things?"
And I think that publishing this statement of support, we've seen a tremendous amount of follow-on support, other people that want to jump on board, other people who have learned about it because of this effort. And so I think it's been really, really impactful that way.
Ali Wyne: And Vince, some of the recommendations in this list of five, I think are reasonably clear, but I want to ask you, in particular, to zoom in a little bit on vulnerability disclosure policies. Tell us a little bit more about what those vulnerability disclosure policies would entail, and if you can, maybe give us a template for what a good one would look like for a company that's involved in this space.
Vince Jesaitis: Yeah. Vulnerability disclosure policies are something the average person has probably never heard of, or if they have, they probably don't really understand. I can say I didn't until I started working in the technology sector about 12 years ago. But they're incredibly important for cybersecurity. I would say, in short, they're internal policies that companies adopt to address security vulnerabilities or flaws that either the company finds, or others, independent researchers, or people just using the products bring to the company to let them know that there may be a vulnerability or a flaw in it.
I would say, a good vulnerability disclosure policy typically has a couple of key components. First, it really details who in the company is responsible for handling vulnerabilities that are brought to the company, and how they're going to mitigate potential vulnerability when they are made aware of those things.
Secondly, it provides a mechanism for outside individuals to report a potential issue. Oftentimes, users of technology, or researchers, are going to be more likely to find a problem with a IoT device or the software on it, than the company that actually makes it, just because they're spending so much more time with it, or scrutinizing it in a different way.
Lastly, I would say, a key component is for a company to make sure they have a timeline for making that vulnerability public.
And the last one might not be super-intuitive. You might wonder, if you have a vulnerability, why would you make that known publicly. But it's incredibly important so that users of that technology that have adopted either software, or deployed IoT product in their home or in their office, can understand that there's a potential issue with that problem, and can make sure that they're taking appropriate steps to protect themselves, either by finding a update for the software, or taking the device off of their network, or taking whatever other steps would be necessary to protect themselves if there is a vulnerability.
These look different for every company. A software company would respond to a vulnerability in their product in a different way than a hardware company, but those three components would be applicable regardless of where the company sits.
A good example of the differences in vulnerability disclosure policies can be found on the Cyber Tech Accords website. Cyber Tech Accord, I think, has somewhere in the neighborhood of 100 companies that have signed up and nearly all of them have made their vulnerability disclosures public, and are linked to on that website.
Ali Wyne: Thanks, Vince. And Beau, I want to turn to you now. Beyond heeding these vulnerability disclosure policies and paying attention to them, what are some additional ways in which consumers can protect their personal data on IoT devices?
Beau Woods: Yeah. Obviously, a lot of consumers are concerned about personal data potentially leaking out, or someone potentially getting it and tampering with it, depending on what they're looking at. So if you can tamper with someone's settings for their connected thermostat, to use Vince's example, then maybe you could change up the schedule. Or maybe you could pull down some times when the person is home, not home. When you know that they're not home, go rob their house.
But if you want to protect that information, then some things you can do are firstly, before you buy a device, look at what kind of privacy policies are in place. Look at what kind of security policies the company maintains, because it's harder to protect your information when the company, themselves, doesn't do a great job of protecting it, or when part of their business model is to sell it to somebody else, right?
Secondly, initially comes down to personal choice is if there's a cloud-connected component to it, then look at what type of information is being sent out to the cloud. Most companies will have some information. There'll be some disclosures somewhere on the website that talks about the type of information that's sent off to a third-party location for storage or processing. Many devices can function without that cloud component, in which case they're not sending that data out. So you can make a choice. Lose some capabilities by not using the cloud functionality, or give over some of the information, and you can look at what information is sent out to the cloud.
And then finally, when you're getting ready to get rid of the device, a lot of them have some way to set it back to default settings, just wipe all the data off. In some cases you can delete your cloud account, and the company will give you guidance about whether or not they delete your data out of the cloud at that point.
But take those types of steps, and if you can't physically... If you can't do that in software to reset it back to factory settings, then you can take it to a place where they recycle devices. And in a lot of cases, they'll provide, as a service to consumers, to securely recycle that device, to take it apart, to break the chips, and to put that back into the supply chain of materials. So there's a lot of heavy metals, for instance gold, and tin, and copper, in electronics that have value. So some of these recyclers do it for free. They would just want the access to those resources.
Ali Wyne: I like this idea of a secure recycling. I hadn't heard of it, but I think that it's a really instructive and important point for consumers on how they can better protect their personal data.
Is there anything else you want consumers to know? If you were sort of closing out today, what else would you like consumers to know about threats in the IoT world, and what are some steps that consumers can take to advocate for themselves?
Beau Woods: I think for a lot of people listening, they're probably saying, "Oh, yeah. IoT devices, they're not really a big threat to me." Either, "I don't have them," or, "I just haven't seen any headlines about it." But the threat landscape is always changing, and in particular, one constant over time, there are more adversaries, there are more accidents that can happen, there are more models and motivations for adversaries to go after things. So while you may not be impacted today, that will change over the next 5, 10, 15 years, and the devices that you're buying today, many of them will be with you for that time period. So think about what choices you want to make to be more securable in your personal life.
Ali Wyne: And on that note I want to ask one last question to Vince. Vince, any reactions to what Beau just said? Or any closing thoughts to leave us with?
Vince Jesaitis: I think that’s a great response and a great way to leave things. We’ve discussed what steps companies and governments are doing to drive up security, but really consumers need to scrutinize the products that they’re buying and hold the manufacturers who are providing those companies more accountable. And we’ve given examples of several resource but really it is going to depend on what they do in the store. And so I would say continue to ask questions, continue to look for devices that demonstrate security in some way. And make sure when those devices are being set up in your house, you take advantage of all the security features that are built in. So thank you for your time Ali.
Ali Wyne: Well, thank you to both of you for answering so many questions. We will continue to ask questions because this topic, and the topics rather, that we've discussed are only going to grow more important.
Vince Jesaitis, senior director of government affairs at Arm, and Beau Wood, cybersafety advocate at I Am The Cavalry, thank you so much for being here, both of you.
Beau Woods: Thanks for having me.
Vince Jesaitis: Thanks for having me, Ali.
Ali Wyne: And that's it for this episode of Patching the System. You can tune in next time for more on the future of cyberthreats and what we can do about them. You can catch this particular podcast as a special drop in Ian Bremmer's GZERO World anywhere you get your podcasts.
I'm Ali Wyne. Thanks very much for listening.
- Podcast: Patching the System: Cyber threats in Ukraine and beyond ... ›
- Would you pay a cyber ransom? - GZERO Media ›
- The Graphic Truth: Who's Hacking Whom? - GZERO Media ›
- How Russian cyberwarfare could impact Ukraine & NATO response ... ›
- Be more worried about artificial intelligence - GZERO Media ›
- The invisible threat to global peace - GZERO Media ›