IoT Device Security Laws Won’t Eliminate DDoS Attacks

It is now common knowledge among cyber security professionals that many of the billions of IoT-connected devices around the world are not secure and, of those, many have already been leveraged by bad actors. There are two key reasons for these security problems:

1. End-users—whether consumer or commercial—often fail to change manufacturer default security passwords, which are commonly the same for every single device from the same manufacturer. This makes it child’s play for hackers, to already know, or easily guess, the password and recruit those IoT devices into dangerous botnet armies to steal data, send spam, or launch distributed denial of service (DDoS) attacks.

2. Many IoT devices have inherent security flaws in their software architecture, which often reuse lightweight open-source code designed specifically for use in such low-performance devices, making them vulnerable to hackers. Bad actors can recruit IoT devices via these easily discoverable, or already known, vulnerabilities in the device software stacks, many of which are never patched or kept up-to-date. We have already seen the original Mirai botnet, which leveraged built-in lists of known weak passwords, morph into multiple variants that now use vulnerabilities to gain control of IoT devices.

Experts overwhelmingly agree that manufacturers should build their software with security in mind and factory-set unique passwords for every device. Until then, end-users need to diligently update their IoT device passwords to help ensure that their devices can’t be so easily recruited into a botnet.

New US Legislation to Better Secure IoT Devices

In response to these security issues, a couple of months ago U.S. Representative Robin L. Kelly (D-IL) introduced a bicameral, bipartisan bill called the Cybersecurity Improvement Act of 2019, which aims to “leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In a nutshell, the bill would require that devices purchased by the U.S. government meet certain minimum security requirements; it focuses on password protection rather than reducing software vulnerabilities. It would mandate the procurement behavior of the U.S. Federal government, rather than regulate what manufacturers produce and sell. This also, by the way, assumes that the thousands of federal government departments have staff with enough cybersecurity knowledge to discern which IoT devices are “secure.” The bill has 24 co-sponsors to date, but no changes are on the immediate horizon; before it actually becomes law, it must be passed by the House and Senate and then signed by the President. Companion legislation has been introduced in the Senate.

The goal of the legislation is to protect the security of government information systems, which could impact not only national security but the privacy and security of American citizens.

While the legislative process plays out, it’s guaranteed that there will be a multitude of DDoS attacks—large and small—before any meaningful policies or laws can be put into action. Even if the legislation passes, citizens, enterprises and government officials alike should keep in mind that it won’t eliminate DDoS attacks on government information systems or private enterprise. It addresses only IoT devices that are procured by the U.S. Federal government, which are only a tiny percentage of global IoT devices. The federal government can do very little to control all computers and technologies, even if they are within the U.S. borders, and it has little or no control over those that are manufactured and used in other countries.

New UK Legislation to Better Secure IoT Devices

Similar legislation may also be introduced by the UK Government’s department for Digital, Culture, Media and Sport (DCMS); among other things, their Code of Practice would mandate that manufacturers build basic cybersecurity features into their IoT products, and provide better information for consumers to learn how secure those devices. The UK government specifically points out that the Code of Practice will help mitigate against the threat of DDoS attacks that can be launched from poorly secured IoT devices and services. The government is conducting a Consultation period that runs from May 1 – June 5, 2019, ahead of potential legislation.

Government regulations that mandate better security architectures, and require stronger password protection and patching for IoT devices, are positive steps in the right direction to enhance security and protect privacy. Laws and regulations send an important message to consumers and manufacturers, and do influence outcomes. Unfortunately, legislation or regulations can’t completely eliminate botnets. The cyber threat landscape is constantly evolving, making it difficult for government agencies to adapt quickly enough, whether through technology solutions or through compliance regulations.

Why Organizations Must Add their Own Security Measures

Given this reality of the IoT-powered world we live in, organizations should seek to protect their networks from the cyber-attacks that ensue, with one of the most common being DDoS. The only way for organization which rely on their Internet presence to avoid being impacted by such attacks is to employ an always-on, real-time, automated DDoS solution at the network edge, which can automatically detect and prevent the malicious traffic from entering the network, in real-time.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more information, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.