Internet of Things Security Issues Prompt Government Intervention

When you look at an Internet of Things (IoT) device like a fork or a juicer, what do you see? Like me, you probably see a gadget that was designed for a particular purpose. Less upstanding citizens may see a digital weapon instead of an innocuous gizmo. In the past several years, there have been several high-profile distributed denial-of-service (DDoS) attacks that were enabled by poorly-secured IoT devices. Hackers infiltrate light bulbs and other smart household items and incorporate them into huge botnets that can then be used to take down online services. These assaults recently led to the introduction of the Internet of Things Cybersecurity Improvement Act of 2017 in the US Senate.

A Recent Wave of IoT Botnet Attacks

If you’re not familiar with botnets, they may sound like something from a science fiction novel; however, they’re quite real. They can shut down company websites. This past year hackers were even able to bring down huge of the Internet using IoT botnets. This threat is not coming but already here.

First, let’s talk about distributed denial-of-service (DDoS) attacks. Every year my college football team sells its season tickets on a single day. They always sell out, so people are usually waiting at their computers for the sale to open so that they can buy their tickets. However, with so many people trying to use the service at once, it usually crashes. Think of it like a traffic jam on a roadway. If there are too many cars (or computers) nothing moves. This is the basic idea behind a DDoS assault. Hackers will take over computers or, in our case IoT devices, using malware. These malicious programs let the hackers control the gadgets (also known as zombies) and overload a target website.

When my college’s ticket website goes down, it’s not really a big deal. They still sell all the tickets, but it just takes longer. If hackers cripple a payment website, though, companies can lose hundreds of thousands—even millions—of dollars while the website is offline. These attacks can also be used to incapacitate portions of the Internet as a whole.

In 2016 the Mirai botnet attacked a company called Dyn, which runs many US Domain Name Server (DNS) services. As a result, many people in the US were not able to access the Internet. To mount such a massive strike, the Mirai botnet used hundreds of thousands of poorly-secured IoT devices, in this case mostly webcams. Many other botnets are being built from smart gadgets with substandard security as we speak. The United States Government has been slow to acknowledge this threat but is now taking action.

US Legislation Tries to Hold Back the Tide

Recently, the US Senate introduced bipartisan legislation to correct this problem, which would require designers to meet certain security standards in order to sell their products to the federal government. These standards compound the challenge of meeting the FCC’s radiated and conducted emissions standards. However, the proposed act’s standards highlight weak points in IoT device design and indicate some key areas for designers to consider.

Primary standards of the proposed legislation:

• Devices should be able to receive and install a software patch. Either enable over the air updates for your product or make it possible for the user to install patches.
• Designers should avoid integrating known vulnerabilities into their products. If they discover a weakness during design, they should disclose it to the appropriate federal agency. Don’t intentionally include backdoors into your hardware or software.
• IoT communications should rely only on standard protocols, such as Bluetooth or 5G.
• No device should have a hard-coded password, which is part of what allowed the Mirai botnet to infect hundreds of thousands of devices, like WiFi light bulbs.​​

The legislation does not appear to be extremely rigid. There will be allowances on a case-by-case basis for gadgets that don’t meet their requirements. That being said, the risk of IoT devices being infected and grafted into massive botnets is significant. Even without that legislation, designers should seek ways to more effectively secure software and hardware alike.

Designing a PCB is never easy, and these new government requirements won’t make it any easier. Fortunately, great PCB design software can help you stay ahead of such legislative action to secure your designs. CircuitStudio^® boasts a wide variety of tools that will help you manage the details and craft IoT devices that reflect increased security standards.

Have more questions about IoT security? Call an expert at Altium.