On May 16, 2018 The U.S. Consumer Product Safety Commission conducted a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. VDOO's written response is below.
IoT products are becoming integral to our daily lives. These products provide useful functions within our homes, businesses and cities. As time progresses, the capabilities of these products continue to increase, forming a layer of connectivity that enables automation of daily activities that consumers are beginning to rely upon. Unfortunately, the products themselves are too often developed with minimal security controls and a lack of adherence to recognized security best practices. This leaves those that rely upon these products at risk to both information leakage and in some cases compromised safety.
VDOO believes that governmental organizations such as Consumer Products Safety Commission (CPSC) will play a vital role in helping to mitigate the risks faced by society as the maturation of the IoT continues. We thank the CPSC for holding a hearing on this topic and for allowing VDOO to submit this written response.
A Dynamic Threat Landscape
VDOO believes that independent industry-driven certification is important based on the ever-changing threat landscape of the IoT market. We have already seen the results of attacks against consumer IoT products. Botnets such as Mirai and BASHLIGHT targeted consumer devices that used well-known and often unchangeable passwords. Remaiten and IRCTelnet compromised devices that were running insecure network services such as Telnet. These attacks were all highly preventable and demonstrate the lack of security engineering experience within IoT product manufacturers. We've even seen the rise of so-called Vigilante code. For example, botnets such as Hajime were created to take insecure IoT devices hostage to "protect" them from malicious infection. This cannot be an acceptable response to the lack of security expertise within the industry.
To date, most real-world attacks against IoT devices have been of the botnet variety - relatively "dumb" code that spreads like wildfire throughout a population of poorly secured devices. This will not always be the case. We will soon begin to see the rise of targeted attacks against individuals and critical infrastructure. Attacker motivations are widely diverse and the IoT enables new and unique attacks :
- Organized Crime attempting to steal money by planting ransomware on connected vehicles or within connected hospitals.
- Hacktivists aiming to make a statement by displaying messages on connected traffic signs.
- Nation-states focused on disabling or disrupting IoT-enabled critical infrastructure such as our water supply, food supply or electric grid.
- Terrorists aiming to cause harm and sow chaos by disrupting smart city operations.
If we as an industry do not quickly get serious about integrating security into the design, development and fielding of IoT products - citizens will quickly begin to experience the negative consequences of our inaction.
What Needs to Change?
We have seen these vulnerabilities in IoT devices and potential for future attacks against cyber physical systems. Society is relying more and more on the connectivity enabled by the IoT. Without change, vulnerabilities will continue to be introduced into not only consumer products, but those critical infrastructure systems that integrate IoT devices for sensing, command and control, data analytics and other functions. These vulnerabilities may go unnoticed by most, but in the long-term will expose the citizens of the United States to significant risk from motivated adversaries.
IoT technology is also advancing forward rapidly. While today we see relatively simple connected solutions, tomorrow will bring new levels of connectivity that enable automation across disparate systems. Medical robots will allow surgeons to operate on patients located half-a-world away. Smart city infrastructures will come alive, sensing and acting upon data with minimal to no human intervention. Our food supply will be cared for by autonomous unmanned systems. Without a focus on security today, the systems that our children will come to know as basic utilities will be built upon shaky foundations.
Something needs to change immediately. Manufacturers of IoT products must be made aware that they will be held accountable by the market and by regulators for failing to follow basic security engineering practices. We would not allow a vehicle manufacturer to sell a car without following strict safety guidelines. We should hold the developers of connected products to the same standard. Buyers of IoT products, whether they are consumers or businesses that integrate many products together, must be vigilant in their selection of IoT technologies. Buyers should only acquire IoT products that have undergone some level of security testing. Buyers should be able to have assurances that at a minimum, manufacturers have locked down their products against the common automated attack vectors that we have seen so often target and compromise poorly secured devices.
And yet, there is no real standard when it comes to IoT safety and security. Manufacturers are rightly confused by the rapid pace of technological change paired with a shortage of qualified system security engineers. Although the value of embedding security during the design phase of the product lifecycle is well known in the field of cyber security, this is a process that is not yet well understood by manufacturers. This is where the role of the larger cyber security industry comes into play. Organizations like VDOO have created analysis tools to automatically identify vulnerabilities in IoT devices. Manufacturers that remediate these vulnerabilities are able to obtain a voluntary certification - displaying to their customers that they value security and have gone through appropriate measures to mitigate safety risk and the risk of data loss within their product.
Industry consortiums have also created knowledge-bases for product security engineering. Organizations like OWASP, the IoT Security Foundation, and the Cloud Security Alliance have all spent years considering the threats to IoT systems and have published data that can help product owners better engineer their IoT products. These types of industry-driven efforts must continue, and be bolstered by support from Government agencies such as the CPSC. The Government has the potential to play a pivotal role in the long-term security of the IoT. Specifically, valued governmental contributions would include:
- Educating buyers on the need to be smart about acquiring secure products.
- Introducing regulations that require manufacturers follow a minimum standard of due care in their product design and development. These regulations may be different based on the specific industry operated within (e.g., industrial vs consumer vs medical).
- Enforcing regulations whereby manufacturers that do not meet minimum standards should be subjected to fines commensurate with the impact of the vulnerabilities discovered.
- Promoting the value of voluntary certifications. Promoting voluntary IoT security certifications as an enabler of safer and more secure products across all industries.
- Sharing Information. Publishing information on resources that manufacturers and buyers can use to develop and acquire secure products, and collecting and making available threat intelligence.
- Funding Research and development to investigate and field new technologies and approaches to securing IoT and autonomous systems.
How can VDOO Help
VDOO was founded to help resolve the insecurities found in today's IoT market. We believe that our approach to automated security analysis of IoT firmware can be used to significantly decrease the vulnerabilities exposed by IoT devices. Automated analysis that is based upon a deep understanding of the threats faced by IoT devices provides enhanced value over simply following best practice checklists. Automated analysis results can quickly get a vendor up-to-speed on device vulnerabilities even if that vendor has limited experience in threat modeling and security engineering techniques.
Once the vendor has remediated the vulnerabilities identified by automated analysis, that vendor is able to receive a VDOO compliance mark. The VDOO compliance mark can be used by buyers and system integrators to acquire IoT devices that have been validated against a minimum set of security controls, and tested to ensure that they do not expose the buyers to known vulnerabilities. This compliance mark is a valuable tool to help the industry-as-a-whole make progress on securing the IoT.
The VDOO compliance mark provides another benefit to buyers. While VDOO compliance demonstrates that an IoT product has met a minimum set of controls, it also demonstrates that a vendor has met requirements and controls specified by other organizations. VDOO has invested significant resources mapping the VDOO compliance mark to other compliance frameworks, including those from ENISA and NIST.
The VDOO compliance requirements are based on internally-funded research aimed at better understanding todays IoT vulnerabilities and attack methods. This research allows us to stay current on the IoT threat landscape and adapt our automated analysis and certification approach based on the fast-moving changes we see in the market. One way that VDOO can help the CPSC on its mission to secure IoT devices is through sharing of information discovered while conducting this research. VDOO recommends that CSPC establish mechanisms for industry information sharing and we would be happy to contribute to these sharing initiatives on a regular basis.
VDOO would also welcome the opportunity to discuss other ways that our organization can contribute to CPSC's mission of securing the IoT. Our engineers and analysts are already contributing to leading IoT security organizations including the Cloud Security Alliance (CSA), Federal Communications Commission (FCC), and IoT Security Foundation (IoTSF). Supporting CPSC initiations around IoT security would be a worthwhile cause to bolster the overall security understanding and abilities of the IoT industry.
Thank you once again for the opportunity for us to submit this written response. We at VDOO believe in the importance of the CPSC's work in this area and wish to again share our willingness to help and contribute to the CPSC goals. Please find below our contact information for further discussions or clarifications on our statement.
For more information - please feel free to contact us.