Manufacturers and buyers of Internet of Things (IoT) devices are being urged to prioritise security when building and installing devices whose proven record of vulnerabilities is being magnified by the COVID-19 pandemic’s home working.

The Department of Home Affairs’ newly released Voluntary Code of Practice is targeted at industry – but “everyone”, the department notes, “has a role to play in improving cyber security in the Internet of Things”.

Co-developed with the Australian Cyber Security Centre (ACSC), the Code of Practice includes 13 core principles that outline “the security features expected of devices available in Australia”.

These include avoiding duplicated or weak passwords; implementing a vulnerability disclosure policy; keeping software updated; storing credentials securely; and protecting personal data to Privacy Act 1988 standards using “adequate industry-standard encryption”.

IoT device makers are also urged to verify software integrity; bolster system resilience; monitor system telemetry data for security anomalies; enable consumers to delete their personal data; simplify device maintenance and upgrades; and validate API calls and data from other applications.

Device makers are encouraged to provide whole-of-lifecycle stewardship, including telling consumers how long devices will receive software updates and informing them when device security will no longer be updated.

Consumers should factor considerations such as the reputation of the manufacturer and retailer, the ability to change the device’s password, ongoing availability of updates, and clarity around what data will be collected and where it will be shared.

“Boosting the security and integrity of internet connected devices is critical to ensuring that the benefits and convenience they provide can be enjoyed without falling victim to cybercriminals,” Minister for Defence Linda Reynolds said in announcing the release of the “encouraged but optional” code.

Fighting the hordes

As wearable-fitness giant Garmin recently learned when a cyber security issue forced it to shut down its entire network, security is paramount for consumer exercise, health, or location information that is readily collected by devices like wearable fitness trackers.

Yet the scope of IoT security extends far beyond your wrist: IoT security has become a major network security issue, with manufacturers mixing and matching software modules into bespoke devices that are flooding retail and business markets.

With 44 per cent of Australian companies already using IoT devices and over 11.1m wirelessly-linked devices expected by 2024 – many using evolving 5G networks to transmit data back to monitoring and control systems – the integration of IoT devices into everyday life continues to accelerate.

Yet those devices are often poorly supported, rarely updated, and frequently left operating using widely-known default settings and passwords – which in 2016 allowed Mirai malware to compromise surveillance cameras and other IoT devices, then use them to attack Internet infrastructure providers.

Security researchers and university cyber security students have assumed a de facto quality control role – finding bugs in devices like Amazon’s Blink XT2 security cameras and a range of smart-home hubs, then working with manufacturers to remediate them.

The number of discovered vulnerabilities this year is “off the hook”, said Marc Rogers, Okta executive director of cyber security and co-founder of the CTI League of white-hat hackers, in a recent address at the firm’s Disclosure online conference.

With around 24,000 vulnerabilities published this year already, “we’re going to double any other year easily,” he said while urging pragmatism about the real extent of the problem.

“For every vulnerability that gets disclosed publicly, there are almost certainly ones that are not,” he said. “We should realise that this is an indicator that everything is under attack – and that we need to pay attention.”

Once it’s out there, it’s out there

Hackers’ interest is more than academic: IoT makers are currently dealing with Ripple20, a set of 19 vulnerabilities in low-level Internet connectivity modules developed by Treck and used in hundreds of millions of IoT devices from at least 98 different vendors.

Malicious cybercriminals using Ripple20 can compromise and control critical devices spanning industrial control systems, medical devices, home tools, networking devices, retail equipment, aviation, government agencies, transportation management, and more.

COVID-19’s transformation of business operations has added fuel to the fire, with a recent analysis by cloud-security firm ExtraHop finding that the pandemic had dramatically lowered the number of devices at secure offices – with laptops and phones moved to remote-workers’ homes that office security doesn’t necessarily protect.

At the same time, potentially insecure office phones and printers were left plugged in but unattended, and the number of installed – and potentially vulnerable – security cameras increased by 47 per cent in March alone.

Even Internet-connected treadmills in office gyms were observed, highlighting the often unappreciated pervasiveness of connectivity that cyber criminals can potentially use to compromise corporate networks.

“While these techniques are well known,” Rogers said, “they’re accessible – and they are devastatingly effective.

“Hardware flaws don’t go away, and installation of malicious firmware can turn anything into a threat.”