The UK Government has released a draft code of practice designed to help manufacturers and end users better safeguard their Internet of Things (IoT) devices.
These practices have yet to be finalized, but this step by the government proves that if no action is taken, then Parliament will be forced to enforce legislation. The increased adoption of IoT devices poses a significant threat to both commercial and critical infrastructure and has left the government with no other option but to intervene.
The rapid pace of IoT device production and adoption has resulted in basic security safeguards being blatantly ignored. Gartner predicts that by 2020 there will be over 20 billion connected devices in the world, the vast majority of which being riddled with security vulnerabilities. Unlike our familiar computing platforms like regular operating systems, tablets, and smartphones where manufacturers are responsible to factor in security to their design, IoT devices are seldom, if ever patched, upgraded or hardened against misuse.
Both the internet-enablement of more devices, combined with the increased adoption of more function-rich application runtimes/environments, including full operating systems, has rendered these things much more vulnerable to misuse. And in a meshed-network world where everything has access to everything else, the potential for harm has increased exponentially, as the rapid and widespread of WannaCry showed.
A seminal moment where the IoT threat became real was the infamous Mirai malware attack which took down some of the most popular websites including Twitter, Spotify, and PayPal. From connected security cameras to DVRs and Smart TVs, the Mirai attacks were perpetrated by millions of cheap connected devices.
This advice is long overdue and signifies that the government is fully aware of the very evident risks IoT presents to both individual and public safety. While these best practices are still in draft form and the UK government hoped the free market would make these changes itself, inaction will force their hand, “if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.”
Dealing with the potential threat posed by IoT devices first requires understanding what you have. Regularly scan for all network-connected devices and identify what they are. Anything new must be checked for how it operates, what its functions/capabilities are, and how it can be secured.
Changing default username and passwords is always a good first step in any successful hardening program, but disabling UPnP services where possible and firewalling where not, should be key. Thereafter System Integrity Monitoring is a key practice in determining if any suspicious activity has taken place that could represent an IoT based attack.