Surviving the IoT Cyberattack Pandemic

Assess your risks, secure your firmware and comply with the ever-changing regulatory landscape.
By Ronald E. Quirk and Terry Dunlap

Securing Firmware Is a Critical Cybersecurity Measure
As firmware is the heart and soul that runs IoT and connected devices, securing it is key to reducing cyber risks. Manufacturers of IoT devices and other entities involved in securing, underwriting or litigating products that face cybersecurity risks should begin their examination with a firmware evaluation.

As there are numerous attack vectors, a constructive place to start is to employ an expert who can efficiently reverse-engineer firmware to reveal vulnerabilities ripe for remote exploitation by hackers, thieves and state-sponsored actors. This process should be done at the design phase of any IoT device.

Another proactive step that IoT manufacturers should take to protect their devices is to employ engineers and developers that are able to think like cyber attackers and understand how to exploit their own devices. Security training on exploiting embedded software is the key to their success.

Effective embedded firmware security training is live, hands-on instruction that combines lectures and labs in which students hack off-the-shelf devices that are already on the market. Students will learn to protect their companies' embedded devices and join others who have a stake in security.

The importance of having an IT staff solidly educated in cybersecurity is not only a good business practice, but effectively required by law. As discussed below, the Federal Trade Commission (FTC) includes security personnel practices in its IoT security guidelines, while the Federal Communications Commission (FCC) has commenced a comment proceeding that will likely result in cybersecurity reporting requirements.

The Law Mandates Secure IoT Devices, With More Regulations on the Way

The Federal Trade Commission
As the number of and powerful effects of IoT exploitations surge, companies must shore up their security on embedded devices to mitigate risk. Failure to do so violates the Federal Trade Commission Act (FTC Act), which prohibits "unfair" and "deceptive" acts or practices affecting commerce. Violations of the FTC Act can result in substantial fines and other sanctions on the parties responsible for securing IoT devices—typically, the manufacturer, importer or vendor.

The FTC has brought hundreds of cases in which it sought to protect the privacy and security of consumer information. In these enforcement actions, the FTC has alleged that various companies acted deceptively in violation of the FTC Act by, among other things, failing to provide reasonable security for consumer data.

One of these cases involved a company whose vulnerable software enabled hackers to use malware that allowed access to consumers' usernames and passwords for financial accounts. The company informed its customers that updating the software would make its systems secure, but the updates only removed later versions of the software, leaving in place older software that could be easily hacked.

In order to mitigate the possibility of legal violations, the FTC has issued some recommended best practices for IoT device manufacturers. These include security by design, security risk assessments, security testing measures and security personnel practices.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations