Feds offer ways to make Internet of Things more secure

Over 412 million users of adult websites operated by FriendFinder Networks Inc. were compromised last month in the largest hack of 2016, USA TODAY

SAN FRANCISCO – Having a home full of interconnected digital devices sounds like a futuristic dream.

But experts warn that without proper security measures, the Internet of Things could prove to be a nightmare.

That prospect looms even larger as the holiday shopping season nears and consumers fill their baskets with lighting, alarm and camera systems that rely on Internet connectivity for their app-based ballet.

Unsecured, billions of such devices could bring more hacks such as the one a few weeks ago that crippled popular websites such as Amazon, Spotify and Twitter.

“We have a rapidly closing window to ensure that security properly accounted for, (because) once an ecosystem is already built and deployed it’s infinitely harder to try to bolt on security at the back end,” Robert Silvers, assistant secretary for cyber policy at the Department of Homeland Security, said at a symposium Tuesday organized by the Coalition for Cybersecurity Policy & Law.

Silvers noted that building security into the heart of the connected devices flooding into our homes and businesses needs to happen sooner rather than later to protect the integrity of the Internet that we all depend on.

There are currently more than 6 billion IoT devices in operation globally, which range from products such as Nest’s thermostat to August’s front door lock, gadgets that offer operability from your smartphone and digital watch. In 2020, some 20 billion IoT devices will be online, according to Gartner.

Just weeks ago an attack that enslaved IoT devices — using video cameras, DVRs and routers to create an online weapon — took out websites on the East coast for much of a day.

Called a botnet, that weapon wouldn’t have been possible if proper security precautions had been taken at the beginning, Silvers said.

With that in mind, Homeland Security on Monday published a set of guidelines for companies building IoT devices to consider.

Many of these devices are likely to find their way under the Christmas tree this holiday season. While connected thermostats, lightbulbs, cameras and washing machines represent little threat to the people who own them, they can all too easily be co-opted by malicious software and used to launch attacks on larger targets.

Homeland Security’s first stab at design principals for these devices included incorporating security into the design phase, allowing patches to be sent over the air so users don’t have to update their devices and even considering whether such devices need to be constantly connected to the Internet constantly or just intermittently.

The problem is that the companies building the connected light bulbs don’t necessarily have a financial incentive to spend the money to make sure their lighting systems can’t be taken over by a botnet, Silvers said.

“We need to have a serious national discussion about this he said. “In many cases, the cost of poor IoT security is not borne by the entity in the best position to bolster security in a given product,” he said.

The conference, which had been planned before the election, was to focus on cybersecurity issues facing the incoming administration. But few attendees actually broached the topic. The incoming administration of president-elect Donald Trump has yet to spell on its views on technology and cybersecurity.

Follow USA TODAY tech reporter Elizabeth Weise on Twitter at @eweise

Read or Share this story: http://usat.ly/2fX7iCA