Following October’s massive DDoS attack on Dyn, which knocked out internet service for millions of Americans, many in the industry have been scrambling to come up with ways to secure the Internet of Things from being used as a pawn in future cyberattack schemes.
The Broadband Technical Advisory Group (BITAG) published a report on Tuesday (Nov. 22), which included its recommendations on how to improve the security and privacy of the IoT. BITAG is a group— comprised of FCC Chief Technologist Dale Hatfield, Google, Intel, Microsoft, Verizon, Comcast and other tech industry giants — that was formed back in 2010 to develop a set of best cybersecurity practices for the tech industry.
In the report, BITAG wrote: “Several recent incidents have demonstrated that some devices do not abide by rudimentary privacy and security best practices … Some IoT devices ship ‘from the factory’ with software that either is outdated or becomes outdated over time. Other IoT devices may ship with more current software, but vulnerabilities may be discovered in the future.”
“In some cases, devices have been compromised and allowed unauthorized users to perform Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorized access or control, induce device or system failures and disturb or harass authorized users or device owners.”
Though the report disconcertingly points out that many IoT devices may never be fixed, BITAG has laid out recommendations for IoT manufacturers and users to reduce the vulnerability of their products. The recommendations include a set of best current software and cryptography practices. This includes shipping IoT products with current software and a mechanism for automated, secure software updates, as well as strong default authentications and encrypting local data storage.
Other recommendations include restricting IoT communication capabilities, continued functioning in the case of internet or cloud back-end disruption, an easy-to-understand privacy policy and that the IoT industry should consider an industry-wide cybersecurity program.
The threat is real — many experts agree that America is not at all prepared for a major cyberattack.