The Internet of Things (IoT) is here to stay. According to the special edition of the Ericsson Mobility Report in January 2019, there will be over 22 billion connected devices by 2024. Much of this growth comes from ‘smart home’ consumer devices. Various high-profile incidents have hit the headlines, however, drawing people’s attention to cyber security shortcomings that are putting their privacy and sometimes their personal safety at risk. DEKRA’s mission revolves around keeping people safe and secure, and that includes when they are using the latest connected technology in their homes. So how can manufacturers of smart home devices provide customers with the confidence they demand in such a new, rapidly advancing and complex area of technology, and which standards and certifications do they need to take into account?
The Cyber Security Division of DEKRA Testing & Certification in Malaga, Spain, is a leading internationally recognized security evaluation facility. The lab is at the cutting edge of the practical application of security evaluations and testing. Its business model is based on long-term investment in customer relationships and on sharing knowledge and driving progress in the application of evaluation standards and methodologies within the cyber security community. José Emilio Rico, Director of the Cyber Security Division, explains more in this interview.
With the rise of the IoT, the market for ‘smart home’ devices is growing at a rapid pace. What challenges does this pose for manufacturers?
It is a very complex situation, because smart home devices face various security challenges throughout the product lifecycle. The risks include exposure of consumers’ data, infringement of their privacy and even abuse of the devices themselves to create networks (so-called ‘botnets’) with capabilities to attack entire systems. Vulnerabilities can occur anywhere along the chain of interaction between the user, the device, the gateway, the connection, the cloud server and the applications. Think of things like exposed external ports and expansion slots on the device itself, but also insecure software/firmware, web/mobile interfaces and network services, or the absence of a reliable patch pipeline. This means that manufacturers need to consider several important security principles, ranging from the physical security of the device itself to cloud security including identification, authentication and encryption.
Can you give us some examples of real-life cyber security incidents?
There have been various high-profile cases of what are known as disruptive distributed denial of services (DDoS) attacks, organized by hackers aimed at installing malware onto IoT devices. For example, the Mirai botnet was discovered in August 2016. Mirai took over an unprecedented number of consumer devices such as IP cameras and home routers causing massive damage to the internet. Mirai was able to identify vulnerable devices using a table of more than 60 common factory default usernames and passwords in order to infect them with its malware. Once infected, the devices were able to scan the internet to find other vulnerable IoT devices. Mirai eventually took over nearly 500,000 devices and was used in some of the largest and most disruptive DDoS attacks. This illustrates the danger of using default passwords. However, it is a common problem, and it has even caused serious issues in medical devices such as cardiac implants and heart monitors. In some cases, hundreds of thousands of devices have had to be removed from patients due to vulnerabilities in the wireless transmission of data without sufficient encryption and authentication. But sometimes the vulnerability comes from insecure software. Most smart home device manufacturers lack expertise in secure software development, and either they fail to provide enough protection against unwanted access or do not provide sufficient regular updates.
So why are today’s consumer devices not being designed with more cyber security features?
As so often in business, it’s partly a problem of cost. To keep production costs low, manufacturers are reusing off-the-shelf technologies, but that introduces ambiguity of ownership for developing and deploying patches and other upgrades which are necessary to keep IoT devices secure after they’ve left the manufacturer’s warehouse. But it’s also a matter of practicality. In wearable products, for example, it’s desirable to minimize the drain on the battery by using a low-level microprocessor, but such microprocessors have less capacity for security. Plus it’s about optimizing the user experience: the encryption process uses a lot of CPU cycles and could result in a slow connection via Wi-Fi, so sending unencrypted data can reduce irritating delays. Likewise, using password protection will make it more secure but less convenient for users. And any password can be hacked eventually, so ideally you’d use a digital certificate instead – but that requires the end user to have more knowledge… In other words, any security feature you introduce in the device will imply limitations for the user. So ultimately, smart home product manufacturers need to evaluate their target customers and trade off the risks against the costs and the convenience to arrive at an acceptable level of security for the consumer.
Do manufacturers of smart home devices have to demonstrate that they provide a minimum level of cyber security?
Actually there are no formal mandatory requirements in the smart home industry right now. The existing European regulations aimed at protecting consumers were all drafted at a time when products like toys or medical devices were not connected to the internet – which is no longer the case, of course. So to ensure the protection of consumers now and in the future, they need to be updated with the incorporation of cyber security certification aspects. What we do have now is the Common Criteria for Information Technology Security Evaluation, also known as ISO 15408 or ‘Common Criteria’ (CC) for short, which is the most commonly used standard in the ICT industry. This international framework is used by different industries and especially governments to define minimum security requirements for families of products that could be deployed, e.g. in emerging 5G network infrastructures, IoT and the automotive sector. The testing process is an objective evaluation of the security of the end product, including penetration testing, which means measuring the device’s resistance against various kinds of attacks. There is also another standard called the Federal Information Processing Standard (FIPS 140-2/ISO 19790) for the validation of cryptographic modules. Neither of these are mandatory for consumer products at the moment, but they are widely regarded in both governmental and non-governmental sectors as practical cyber security benchmarks and realistic best practices. Our cyber security laboratory, which was founded in 2007, is specialized in Common Criteria (CC) and FIPS 140-2 security evaluation and testing services. In fact, we’re accredited under the terms of the Common Criteria Recognition Agreement (CCRA) to carry out security evaluations according to CC for ICT products leading to certificates that are recognized in 30 countries. We’re also one of just 20 FIPS 140-2 labs in the whole world (and just three in Europe) able to evaluate cryptographic modules, and we are accredited in the Japanese scheme for cryptographic module validations under the ISO 19790 standard. So with all our experience, we’re in an ideal position to not only evaluate the devices, but also to help and advise manufacturers of smart home devices on how they can use these standards as a guideline for cyber security.
What is being done to update the existing consumer products standards to include cyber security?
Different countries are currently at different stages of developing different guidelines. For example, in the USA the NIST has developed a cyber security framework to help manufacturers to manage cyber security risk, and the UK is drafting a regulation setting a minimum level of security for IoT devices. The European Commission has recently approved regulations that are designed to resolve the security problems derived from 24-hour/day connectivity. The root of these regulations is the so-called Cybersecurity Act, a European legislative framework aimed at, among other things, increasing consumer confidence in the use of connected devices. The Cybersecurity Act, under the governance of the European Union Agency for Network and Information Security (ENISA), mandates the creation of cybersecurity certification schemes for IT products and services promoting an early definition of security requirements (so-called ‘security by design’). The introduction of this first EU-wide cyber security certification scheme will ensure that certain standards are met by products and services sold in EU countries. Manufacturers will be required to provide detailed information including guidance on installation and the period for security support, including information for security updates so that consumers are better informed. The immediate consequence of the creation of these new schemes is that some certifications (e.g. for cloud services, IoT devices, industries with critical systems) will eventually become mandatory – although not before 2023 at the earliest, and probably only for the top two levels of security: ‘substantial’ and ‘high’. The ‘basic’ level of security – which will probably apply to IoT products – is likely to remain voluntary. But at least this will give us clearer guidelines for best practice, plus it will raise awareness and acceptance among consumer and manufacturers. Needless to say, DEKRA is actively participating in the relevant working groups involved in developing these schemes and we are keeping a very close eye on the work in progress so we can keep our customers informed about which technical standards apply in their industry.
What would be your advice to smart home manufacturers right now?
Not all smart home products require the same level of security, but low-level penetration testing and an evaluation of the security level is the most basic – and cheapest – procedure and is good practice for any manufacturer. At DEKRA we recommend a ‘security by design’ approach, so the testing should preferably be done during the development phase. After all, it’s easier to get things right from the start rather than try to fix things when the product is already finished, and cyber security is no exception. And, of course, we advise manufacturers to arrange a third-party evaluation with the subsequent certification to demonstrate their compliance with the existing security standards I mentioned earlier. This can also help you to gain a competitive edge, because consumers are increasingly looking at how manufacturers manage cyber security risks. It will never be possible to identify and fix all the vulnerabilities, because new ones are appearing all the time, but testing and evaluation can help you to minimize the risks. In terms of certification and the regulatory environment, the situation is changing all the time, and the requirements very much depend on which type of customer your product is aimed at in which industry and which country. On top of that, the cyber security requirements will get stricter over the coming years, so my final word of advice would be, don’t hesitate to ask an expert for help. The cost of a basic test and evaluation is much less expensive than having to recall thousands of products due to failure to spot a vulnerability beforehand... not to mention the potential cost in terms of damage to consumer trust and your reputation!