Recent attacks show IoT devices are vulnerable, but what role to CSPs play in ensuring customer security?
Editor’s Note: The RCR Wireless News Reality Check section is where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.
Communications service providers stand to make big gains from the internet of things. But security issues could put a huge dent in their revenue projections. If they want to maximize the monetization potential of IoT, they’ll need to become leaders in ensuring its security. As connectivity kings, no one has more skin in the game. And the place they should start is right at home.
Connected homes are one of the fastest growth areas for IoT. Telecom operators are rolling out gigabit-speed broadband to homes, largely so subscribers can take advantage of new connected services and content. But from a security standpoint, connected homes are among the most vulnerable venues for IoT deployments. It’s a problem that’s about to get much worse.
An “unmanageable security risk”
In October 2016, botnets hijacked millions of unsecured webcams and IoT devices in an attack on global software-as-a-service infrastructure provider Dyn, taking down prominent websites for hours, including The New York Times, Netflix and Twitter. The Dyn attacks are just the tip of the iceberg, according to a January 2017 study by Juniper Research. The report concludes malicious botnets of the kind used in the October attack represent an “unmanageable cybersecurity risk.”
The reason is that many of the billions of IoT devices coming online today lack adequate security measures. And they’re being deployed in homes in ever-growing numbers. IoT-powered thermostats, security cameras, door locks and lighting systems provide cybercriminals with a bounty of new attack surfaces to exploit.
Additionally, wise security professionals recognize the Dyn distributed denial of service exploit for what it was – a relatively benign shot over the bow. While shutting down lots of sites by flooding them with bogus traffic is certainly an annoyance at least and an infuriating revenue and reputation depressor at worst, these consequences are trivial when compared to the devastating effects that could have resulted from a more advanced attack that more fully hijacks such devices in ways that threaten personal security and privacy.
How telecom operators are handling the problem
Service providers are aware of the security problems IoT introduces in homes. They’ve been very careful to ensure the security of the broadband connections they provide their subscribers. Instead, it’s the risk posed by IoT devices themselves that concerns them the most.
To address the issue, major telecom operators including AT&T, Comcast, and T-Mobile US have been working with tech leaders such as Google and Cisco Systems as part of the Broadband Internet Technical Advisory Group. Last November, BITAG issued a report highlighting the security flaws that pervade IoT devices along with industry guidelines directed at manufacturers.
The report cites security risks such as IoT devices that ship with embedded security flaws, have fixed passwords that consumers can’t change (but hackers can easily get by searching online) and that connect to networks automatically without the need for passwords or authorization.
As a result, consumers are routinely introducing vulnerable devices into their homes. That’s a huge problem because with IoT anything that’s not protected is still connected. For example, just one ordinary smart light bulb with a security flaw can potentially provide an entryway for hackers to gain access to an entire home network, including laptops, tablets, smartphones and even wearables. Once inside, they can bypass automated security systems, unlock windows and doors remotely, even access personal data like bank account numbers.
The workgroup report concludes with a long to-do list for IoT device makers to follow to ensure the security of their devices.
Guidelines are not enough
The BITAG guidelines are a good start, but they’re not nearly enough. For starters, they’re not enforceable. Device makers don’t have to follow them. And in the interest of short-term profits and speed to market, many likely won’t. The bigger problem is that the guidelines put all the responsibility for IoT security on manufacturers, which is a bit of a cop out. CSPs need to step up and take a more proactive role in securing IoT in homes.
As mentioned earlier, the broadband pipelines that telecom bring into homes are secure. But as far as service providers are concerned, their responsibility for security is limited only to those broadband connections and to whatever subscription services they deliver over them, such as new home security and automation features.
Among telecom operators, the prevailing attitude is that if customers want to connect anything else beyond those services, including their own home automation gadgets, they need to deploy their own wireless networks using their own routers and equipment. That makes complete sense. CSPs need to keep their secure connections separate from their subscribers’ home networks, whose security can’t be trusted. So, their responsibility ends at the curb.
”It’s not our business”
An unfortunate consequence of that attitude is customers are on their own when it comes to securing their home networks. CSPs argue it’s not their business to see that their subscribers’ personal networks are secure or not. That’s where they’re wrong. It’s very much their business.
Telecom operators stand to lose millions in anticipated IoT revenues should wide-scale attacks start taking place on connected homes. Subscribers won’t care whether those attacks occurred on their private networks or on the ones CSPs control. They may well lose confidence in IoT either way. And many will likely pass on any new IoT services CSPs hope to launch.
To ensure the success of their long-term IoT initiatives, service providers need take a more active role in helping customers safely deploy IoT devices in their own homes. Currently, the most they provide along those lines are best practice guidelines for choosing wireless routers, using passwords and keeping firmware up to date. Truth is, many subscribers either lack the time, technical ability or awareness to secure their own networks, even with the help of checklists.
CSPs must make cybersecurity a differentiator
When it comes to IoT security, telecom operators can no longer afford to hide behind guidelines. They must take bold, proactive steps. In short, they must make cybersecurity a key differentiator in their offerings, on par with download speeds, content packages and service bundles.
For example, telecom operators could provide enhanced cybersecurity services as a paid subscription service or as part of an elite tier – or, more radically as part of a standard package. With these services, telecom operators could automatically and remotely:
· Scan private home networks for security vulnerabilities.
· Detect and isolate insecure devices.
· Update router and device firmware.
· Limit network access until subscribers update passwords (with advanced warning, of course).
· Block devices attempting to automatically join networks without permission.
For this to work, subscribers would have to contractually agree to follow security recommendations from providers. For their part, providers would need to develop far more robust security practices and support than they currently offer.
If cyberattacks increase the way many experts anticipate, those CSPs with the foresight to enable an internet of secure things in the home will be in the best position to maximize revenue opportunities as IoT becomes mainstream.
Brendan O’Brien, co-founder and chief innovation officer of Aria Systems, introduced cloud billing and innovated database-driven, enterprise-grade web applications – before the concept of “cloud” was even on the horizon. O’Brien was recently invited by the European Union to work with other IoT leaders in conjunction with PricewaterhouseCoopers on “Cross-Cutting Business Models for the Internet of Things.” They will produce a report with suggestions for the highest levels of government and industry in order to lay the groundwork for the IoT.
O’Brien can be reached at: bobrien@ariasystems.com, LinkedIn – O’Brien and Twitter@brendan0606.