The European Commission (EC) is drawing up plans to regulate the Internet of Things (IoT) space after a series of major cyber-attacks demonstrated how easily connected devices can be compromised by hackers.
During an October 4th press conference in Brussels, a spokesperson for the EU’s executive body told reporters that consumers must have confidence that their connected devices are safe to use, and will not compromise their online security. Thibault Kleiner said the EC wants to introduce a certification programme that will ensure the owners of IoT products are properly protected from hackers.
The new framework would effectively force connected device manufacturers to incorporate stronger cybersecurity features into their products. Many commentators have observed that IoT devices – including smart home CCTV cameras, connected appliances, set-top boxes and even connected cars – are often rushed to market with security as a distant afterthought.
Companies will be encouraged to create a new labelling system to demonstrate that their devices are secure under the EC’s plans, much like the European energy-consumption labelling scheme introduced in 1992. Last year, the Commission set up the Alliance for Internet of Things Innovation, which will likely play a key role in the establishment of the new framework.
A recent string of large-scale Distributed Denial of Service (DDoS) attacks – in which hackers take control of connected devices and use them to bring down websites by flooding their servers with data – have highlighted how easily cybercriminals can hijack IoT devices.
The main reason for this is that connected device makers typically ship their products with simple default passcodes that hackers can easily guess, allowing them to take control of individual devices and, more worryingly, the networks to which they are connected.
As well as allowing hackers to create so-called botnets of slave devices that can be used in DDoS attacks, these types of weaknesses can also let cybercriminals access device owners’ personal information, or even take control of their smart products.
At the end of September, the biggest DDoS attack in history took down the website of online security expert Brian Krebs. At its peak, the site was bombarded with 600 to 700Gbps of fake traffic. Only days later, web hosting company OVH was hit by a similar attack that saw 1.1 Tbps of data knock it offline. Both attacks are thought to have been facilitated by an army of infected smart devices which make up the Mirai botnet.
The Mirai network is made up of thousands of IoT products compromised by malware that uses a combination of 61 usernames and passwords to hack connected devices, demonstrating just how little effort IoT manufacturers are currently putting into making sure their products are as secure as they can be.