Exploding sneakers are only one reason for passing IoT cyber-security regulations

Profile picture for user Jerry.bowles By Jerry Bowles March 18, 2019
Summary:
Is the third time the charm for the US Internet of Things Cyber-Security Improvement Act of 2019?

nike

It’s been a bad month for the iconic sports company Nike. Not only did Zion Williamson of Duke University, the top U.S. college basketball prospect, injure his knee only 30 seconds into a game against arch-rival North Carolina when his ordinary left Nike PG 2.5 sneaker exploded on national TV but early purchasers of the company’s highly-promoted Nike BB Adapt, a $350, self-lacing sneaker straight out of “Back to the Future II,” started flooding the company with complaints.

The BB Adapt contains smartphone-grade electronics that can be controlled via an Android or iPhone app. Many early purchasers quickly discovered that the Android app wasn't syncing with both shoes. In the schoolyard vernacular, the shoe “bricked.”

Both incidents were embarrassing for Nike and briefly brought the company’s stock value down but—more importantly—the BB Adapt fail was a useful reminder to technologists and their enablers that a world in which everything that can be connected to the internet likely will be is a world where unintended consequences are going to occur—with both hilarious and deadly serious results.

The notion that billions of devices - of varying degrees of usefulness and levels of security - are going to be happily connected together and constantly working to make the lives of human beings a bit easier and more rewarding is fairly ludicrous on the surface.

What all these devices and objects and sensors and sneakers are doing is creating an enormous playground for hackers, who will continue to probe the connections between low-power, dumb devices and critical infrastructure to create Distributed Destruction of Service (DDoS) attacks that employ swarms of poorly-protected consumer devices to attack public infrastructure through massively coordinated misuse of communication channels.

While these devices, and the data they collect and transmit, potentially present enormous benefits to consumers and industry, the relative insecurity of many devices presents unpredictable challenges. Sometimes shipped with factory-set, hardcoded passwords and often unable to be updated or patched, IoT devices can represent a weak point in a network's security, leaving the rest of the network vulnerable to attack

Hacker-created IoT botnets can direct enormous swarms of connected sensors like thermostats or sprinkler controllers to cause damaging and unpredictable spikes in infrastructure use, leading to things like power surges or reduced availability of critical infrastructure on a city or state-wide level. See the infamous Mirai hack of 2016 for a look at how destructive a well-planned IoT attack can be.

Welcome to the Internet of Things, which has the potential to be almost as great and amazing as the marketers say it will be, but right now feels a bit like the Wild Wild West before the new marshal arrives in town. Gartner says there will be more than 20 billion IoT devices in the world in 2020.

It's a crowded, dangerous world and one that raises an existential question: Does a Barbie Doll really need to be connected to the internet?

There is plenty of skepticism about IoT going around. Stories about strangers hacking into baby monitors and talking weird to infants have created a rightful mistrust in the general public. I, for one, don’t want my refrigerator to know I ate the last piece of chocolate cake. So wacky has a lot of this become that one bright fellow has even created a Twitter account called @internetofshit which tracks the more ridiculous ideas for connected products. It has almost 380,000 followers.

Help is on the way…maybe

Senators Mark Warner (D-Va.), who is as close to being the Marshal Dillon of the internet as we have in the US Congress, and Cory Gardner (R-Colo.) last week re-introduced a bill aimed at improving the cyber-security of Internet-connected technologies ranging from connected cars and medical devices to cameras and speakers. Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.) introduced a companion bill in the House.

The bill, which Warner and Gardner first introduced in 2017, would require the Commerce Department to write voluntary standards for how the industry can securely develop and maintain those devices but mandates that government agencies and their contractors abide by those standards. It would also urge Internet of Things manufacturers to co-operate on finding and alerting people about hackable computer bugs in their products.

The current bill, supported by members of both parties and known as the Internet of Things Cyber-security Improvement Act of 2019, eschews specific recommendations and instead calls for the National Institute of Standards and Technology (NIST) to develop security guidelines for IoT devices sold to the US government. Senator Warner said:

While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security. This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.

Specifically, the Internet of Things Cybersecurity Improvement Act of 2019 would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
  • Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies so that if a vulnerability is uncovered, that information is disseminated.

My Take

Billions of lightly secured, easily discoverable devices and toys connected to the internet. What could possibly go wrong?

It is perhaps an indication of how seriously US regulators are taking the IoT threat that this is the third year in a row in which the same bill has been introduced. It may have a better chance this year since it leaves it to NIST to develop the rules rather than spelling them out in detail.

With luck, manufacturers will quickly discover that there isn’t a huge market for “smart” sex toys and nagging lawn mowers and toilets that ping you if you forget to flush and cute little cameras that let you see the world from your baby’s perspective. Perhaps, we’ll even find that many basketball players still like to tie their own shoes.

The whole thing becomes considerably less funny when you consider that the most likely suspects in the deadly crashes of the two new Boeing 737 Max 8 are the sensors and software that automatically points the nose down when it thinks the aircraft is about to stall.