BITAG’s IoT Security and Privacy Recommendations

Greenwave Systems’ Mark Baugher represents his company in the IPSO Alliance and actively participates in the Security, Privacy and Identity Working Group. He recently evaluated the recent BITAG report on IoT security and privacy for the IoT. In the paper below, he provides an overview of the recommendation and underscores some of the challenges that remain to be addressed. Interested in supporting IPSO’s work to solve some of the remaining challenges? Learn more about the IPSO Alliance Security, Privacy and Identity Working Group.

BITAG’s IoT Security and Privacy Recommendations

Mark Baugher, Greenwave Systems

BITAG has weighed in on Internet of Things (IoT) security and privacy.  The Broadband Internet Technology Advisory Group’s report studies the plague of IoT insecurity and makes recommendations to deal with it.  It’s short, well-researched and accessible (the interested reader can quickly peruse the Executive Summary).  The report motivates its recommendations with over 150 informative references and footnotes on IoT risks, vulnerabilities and remedies.

The report isn’t about enterprise IoT services.  It’s about user or “consumer” IoT, which is mostly in the home.  The various services are controlled by a user’s mobile phone for apps like home security, lighting automation and thermostat control.  The distinguished experts wrote the report warn users that IoT services “face general security and privacy threats…” from the gadgets that we and others connect to home networks.  Securing this type of IoT is harder “because it can involve non-technical or uninterested consumers.”

Consumer IoT “gadgets” include presence sensors, cameras and home-network devices that need little human control.  Per the report, IoT “devices typically interact with software running elsewhere on the network and often function autonomously, without requiring human intervention.” Ned Smith, chair of the IPSO Alliance Security Committee, says increased autonomy differentiates IoT security from conventional cyber-security. IoT services do need management, however, but home networks are usually unmanaged – set up by someone in the household and forgotten.

These poorly-managed home networks are populated with vulnerable network products, notably high-definition video cameras.  Hundreds of thousands of these risky products temporarily disabled major sites and disrupted parts of the Internet in recent IoT DDOS attacks.  The BITAG report predicts that as more IoT devices “…are compromised by malware…they can become a platform for unwanted data traffic…which can interfere with the provision of these other services.” The “other services” include basic Internet and home-network services. As foretold, the IoT DDOS malware recently spread from cameras and other vulnerable products to 900,000 gateways operated by one of the most advanced Internet services in Europe.  Yet another wake-up call.

So, what are we to do?  Let’s summarize what the report says, what it means and, finally, what’s missing.

What the BITAG Report Said

The BITAG report is summarized in its Executive Summary, which condenses the recommendations into ten high-level bullets and about as many sub-bullet points.  BITAG’s mission is to develop compelling industry best-practices.  BTAG’s report identifies and motivates best practices for secure IoT device communications, software, services and operations across the industry and the product supply chain.  Everyone must help with IoT security and privacy.

The report expertly surveys problems and solutions.  Broadband providers have long asked for home gateways to have authenticated software update.  A decade ago, I was called to a network-service provider’s headquarters to discuss that topic – and IPv6 enablement, which is now found in many places, and secure DNS, which isn’t.   Today, automated software update is just common sense for leading vendors in the US market, at least.

Most of BITAG recommendations are well-known industry best practices and some are novel.  At least one is controversial: The report command that “IoT services continue to function in the home if Internet connectivity fails.”  But what if the home-security system determines it cannot send alerts over any external network interface like cellular or fiber?  That system should fail.  Why is this a security issue rather than a user-experience issue?  Why not leave it to product designers?

Sometimes, BITAG wants failure: “The security of IoT devices is … of interest not only to the manufacturers (and other parts of the IoT supply chain) and customers of IoT devices, but also to the Internet at large.”  When vulnerable IoT devices fall to attack, it can be costly and disruptive for all.  Hence, the Internet needs

“A way to disable communication with the device once it is determined to be vulnerable. Examples of potential methods include remotely disabling the device from the network, or blocking access to the device from a home gateway.”

A vulnerable device is missing security updates.  BITAG does not favor user opt-in for updates and recognizes that there are many types of software updates.  Nonetheless, the report recommends that updates are, in general, opt-out not opt-in.  A user may reasonably want to delay and explicitly approve updates because they can be disruptive, buggy and even insecure.  This recommendation may seem intrusive to many.

What might be added

The BITAG report assumes that “the recommendations … apply to the device that performs the protocol conversion (e.g., home automation hub or gateway).”  But the report misses the importance of that protocol conversion for semantic interoperability between different systems with different command sets, authorization systems, authenticators and encryption.

Thus, there are most often two or more secure connections along an IoT service path and usually more, which breaks at least one recommendation: “BITAG recommends that IoT devices authenticate the endpoints they communicate with.”  But that’s not possible to do when there are multiple secure connections along a path:  The sender authenticates the first connection endpoint (hop) and the receiver authenticates the last hop.  In between, data are decrypted and processed in the clear, and resent on yet another secure connection.  IoT application-layer gateways are a source of great insecurity in IoT services, but the report does not consider them.

The report misses authorization problems, but IoT authorization problems have been found in one of the best IoT products in the industry.  In a recent study, the product allowed an app with rights to read door-lock battery levels obtain door-lock access codes.  More consideration of gateways, ALGs and IoT authorization might improve a future report.

Finally, there’s the elephant in the room:  The reasonable reader might conclude that the state of IoT security is dire and must be remedied by any means necessary.  But the report timidly calls only for an industry-wide security program and for the providers of the IoT supply chain to clean up their act.  If there is a good reason to ignore the government, then the report should explain that.  Many prominent security experts disagree.

Although the BITAG report doesn’t explore of all avenues for improving IoT security, its offers thoughtful recommendations from the perspective of network operators who clean up the messes wrought by insecure Internet “things.”  It’s recommended reading for people interested in IoT security.