Rambus’ Paul Karazuba recently penned an article for Semiconductor Engineering that takes a closer look at how consumer privacy and safety continue to be at risk from unprotected IoT devices. As Karazuba notes, security cameras represent approximately 47 percent of vulnerable devices installed on home networks. Basic attack techniques that target these devices, says Karazuba, include a simple process known as credential stuffing, with attackers accessing accounts using stolen credentials and large-scale automated login requests.
“Camera users who don’t enable the optional two-step authentication, skip setting a unique password, or recycle credentials across multiple online services and are at a greater risk of being hacked,” he explains.
Beyond security cameras, emphasizes Karazuba, a wide range of vulnerable consumer IoT devices are frequently targeted by hackers who actively search for devices with default or weak login credentials such as ‘admin’ usernames and ‘1234’ passwords. These include network-attached storage devices, printers, smart TVs, and IP phones.
Fortunately, says Karazuba, states like California and Oregon are proactively formulating legislation that could help prevent basic attacks against unprotected and vulnerable IoT devices. Indeed, California cybersecurity law SB-327, which went into effect on January 01, 2020, requires manufacturers to equip IoT devices with reasonable security features to prevent unauthorized access, modifications, and data leaks.
Specifically, SB-327 requires manufacturers to implement a unique preprogrammed (default) password for each device. Additionally, manufacturers must ensure that users create a new password the first time a device is activated. Together, explains Karazuba, these steps are expected to help protect California consumers, as hackers are known to routinely target vulnerable devices shipped with generic or default login credentials.
Another example of proactive legislation is Oregon House Bill 2395 which requires manufacturers to equip IoT devices with “reasonable security features.” These include shipping devices with unique preprogrammed passwords, requiring users to create new passwords when a device is first activated, and ensuring manufacturers comply with federal law and regulations that apply to security measures for connected devices.
As Karazuba points out, additional governments around the world are beginning to recognize the real-world risks posed by unprotected IoT devices.
“For example, the United Kingdom (UK) recently announced its intention to introduce new laws requiring security to be built into IoT devices,” he writes. “This would add to the UK government’s 2018 publication of the world’s first IoT code of practice, which outlines guidelines for manufacturers such as prohibiting default passwords and mandating secure credential storage as well as ensuring software integrity.”
According to Karazuba, passing proactive security legislation to prevent basic attacks against unprotected and vulnerable IoT devices is a good first step to protecting consumer privacy and safety. However, there is clearly much more that needs to be done before connected devices are secured against more sophisticated attacks.
“A siloed security co-processor, designed to execute security-centric processes completely independently of the main CPU, can better help protect consumers by preventing unauthorized access and monitoring suspicious system activity,” he elaborates.
Specifically, says Karazuba, a security co-processor can enable secure boot and runtime integrity checking, as well as provide remote authentication and attestation and hardware acceleration for symmetric and asymmetric cryptographic algorithms.
“Put simply, a siloed security co-processor can help thwart determined adversaries and more sophisticated hacking techniques such as side-channel attacks,” he concludes.