Security ratings for IoT devices?
Rory Medcalf: The National Security College chief says Australia needs to prepare now
The federal government has asked industry leaders to develop a mandatory cyber security rating system for Internet of Things devices, but experts say such a scheme would be “enormously difficult” to implement in an effective way.
Prime Minister Malcolm Turnbull asked an advisory committee made up of private sector members to develop options for the Australian ratings system. The committee will report back by the end of the year.
The ratings systems would be similar to the heath stars on food packaging or energy star ratings on electrical appliances, and would detail the level of cyber security in any given IoT device, possibly in the form of a “cyber Kangaroo logo”.
The group includes a number of Australian industry leaders in the sector, who will be discussing the concept with tech leaders like Amazon, Google, Microsoft and Telstra.
Assistant Minister for Cyber Security Dan Tehan said the aim was for the private sector to develop the best model itself, rather than the government imposing mandatory ratings.
“The government believes the private sector is best placed to develop protocols about communicating the level of cyber security of Internet of Things devices to the general public,” Mr Tehan told InnovationAus.com.
He has previously raised concerns with the security of IoT devices. “We’re seeing that poor security in IoT devices is having a consequence,” Mr Tehan said.
“The idea of baby monitors with poor cyber security that can be hacked into, and then the cameras on them observed on the internet, I think, is something which all parents would find absolutely abhorrent.”
The ratings plan follows a number of hackings of IoT devices in recent years, and recent revelations that the WPA 2 security protocol for Wi-Fi networks can be breached.
This is likely to most severely impact IoT devices as they are less likely to receive the necessary patch in order to prevent a hacking, security researcher and founder of HaveIBeenPwned.com Troy Hunt said.
“The ongoing security concern with IoT is how you update it, and it’s up to manufacturers to make that a seamless experience. IoT is more vulnerable at least in the context that it’s usually harder to update,” Mr Hunt told InnovationAus.com.
According to Forbes, there will be over 80 billion IoT devices by 2025, and many of these are vulnerable to attack. There have been a number of incidents recently, including implantable cardiac devices like pacemakers being hacker, intruders gaining access to Wi-Fi connected baby monitors, and home security cameras being easily infiltrated.
Mr Hunt said that with manufacturers around the world jumping on the IoT bandwagon, security concerns aren’t being properly taken into account.
“There’s so much stuff being rushed to market - it’s a little bit of a boom at the moment. Companies are trying to be first with an IoT thing, and rushing to market to get the competitive edge. The egregiousness of the security flaws is outstandingly bad,” he said.
The idea of IoT security ratings, and specifically a cyber kangaroo logo, was born out of a cyber exercise run by the Rand Corporation and the Australian National University’s National Security College at the end of last year.
The exercise saw 90 top officials, executives and academics take part in plausible scenarios to develop ways to press cyber security challenges.
One of these looked at the difficulties in controlling IoT devices, and envisioned a scenario in 2022 in which criminals could hold people with pacemakers to ransom, and to hack cars.
The participants proposed the idea of cyber security standards for the government to regulate the safety standards of IoT devices, and show consumers in a simple way its security and compare it with others.
“The only prudent policy response was to prepare now by ensuring Australia had world-leading standards on IoT security before attacks were attempted,” National Security College head Rory Medcalf said.
The security rating would be a “quality assurance for cyber-connected devices”, a quickly recognisable symbol used as a “tool for building trust with consumers”.
The government has now taken this idea to its advisory committee to bring to the private sector and further develop, with the National Security College still involved with the discussions.
But Mr Hunt said such a scheme would be “enormously difficult” to properly implement, and that enforcing proper penalties on the manufacturers of devices with inadequate security would be more effective.
“Even if we did try to regulate the IoT component, there are so many moving parts outside of the device itself, and that makes it really hard,” he said.
“The government tends to be a bit behind on these things anyway – I’d prefer to see greater penalties for when organisations screw this thing up.”
Mr Hunt pointed to the hacking of Cloud Pets’ IoT teddy bear earlier this year, where recorded messages that parents could send to the bear to play to the child were stolen by hackers.
These messages were stored in a database without a password and were “ridiculously easy” to hack, but the proposed security ratings would not have effectively conveyed the risks involved, he said.
“If you look at just the device, it’s absolutely perfect with no problems, but someone has the database with all the kids’ voices, and they didn’t put a password on it. That’s an important part of the ecosystem but not the device itself,” Mr Hunt said.
Another big challenge with the proposal would be enforcing it overseas where most IoT devices are developed and manufactured.
Mr Tehan said he hoped the standards would apply to imported products the same as Australian made ones.
There are also concerns that such regulations would stifle innovation and would not keep pace with technological advances in the space. These concerns were identified by the National Security College in a report released in August this year.
“The result was a reluctance to impose excessive regulation on technology imports, with the fear that manufacturers would simply sell their goods elsewhere and Australian consumers would miss out. This would also cost the Australian economy opportunities to evolve and compete in the increasingly technology-driven global economy,” the report said.
Mr Tehan said he hopes many of these concerns are addressed by the industry committee and private sector.
“The government wants to hear from the private sector how its proposals will address imported IoT devices, the evolving technology and competition issues,” he said.