Why ISPs Should Take the Lead in Securing IoT

A November 2018 Gallup poll found that Americans are more worried about cybercrime than violent crimes (including terrorism, being murdered, and being sexually assaulted). With news of hacked baby cameras and home routers being compromised, the burgeoning Internet of Things (IoT) has given rise to this fear. After all, who’d want a toy meant to comfort one’s child to be watching everything that’s happening inside a child’s room?

Security experts have made predictions year over year that IoT devices will suffer the most attack, and 2019 is no different. Short of stakeholders making the decision to improve IoT security, we will likely see these predictions for years to come.

Millions of Devices and More to Come

In partnership with Avast, Stanford University conducted a study looking at data from 15.5 million homes and 83 million devices across different regions. The report, “All Things Considered: An Analysis of IoT Devices on Home Networks”, found that 66 percent of households in North America have at least one connected device.

Researchers also analyzed the security of the devices and networks and found, “a significant fraction of devices use weak passwords on FTP and Telnet, are vulnerable to known attacks, and use default HTTP administration passwords that are left unchanged by users.”

While the prevalence of devices varies by geography, the user’s efforts to secure the devices remains consistently negligible across the globe. “Home IoT is better characterized by smart TVs, printers, game consoles, and surveillance devices—devices that have been connected to our home networks for more than a decade. Furthermore, these are the kinds of devices that still support weak credentials for old protocols,” according to the report.

Devices, such as smart TVs, are commonly found in homes regardless of geography, but North Americans reportedly invest more in media devices. Though consumers the world over are increasingly investing in surveillance cameras, these devices tend to be more popular in Asia.

Interestingly, the study found that there are more than 14,000 device manufacturers, yet 100 of those vendors deliver 90 percent of all devices globally. These statistics raise the important question of who is responsible for IoT security.

Who’s Responsible for IoT Security?

In a recently published whitepaper titled, “Home Router Security – The Buck Stops Where” Patrick Donegan, principal analyst of Hardenstance, said, “vulnerabilities in home and Small Office Home Office (SOHO) routers continue to expose their owners – and Internet users world-wide – to damaging attacks.” As consumers enjoy the convenience of these connected devices, they aren’t investing time in understanding how to secure their IoT gadgets.

“In the past, issues around home router security could be viewed largely as between end users, their router vendor and their ISP. But the rise in the automation of attacks and the proliferation of IoT is changing the balance of externalities arising from home and business Internet usage,” Donegan said.

In order to secure IoT,  network operators need to deliver network-level security to their consumers’ connected devices. Although ISPs do have security protocols to prevent, detect and respond to cyber attacks,  Donegan said, “They do this mainly to protect themselves. They can also combine their unique network-wide visibility and footprint in the home to protect the home networks of individual consumers.”

Network-level whitelisting and two-factor authentication are what Donegan described as “measures [that] can provide additional protection against many of the most straightforward attack vectors.”

Even though connected devices are inherently vulnerable, network operators can provide multi-layered security without end users having to carry out elaborate downloads or installations on their end. “The fundamental decision for the ISP remains essentially the same. It can lead in home router security. Alternatively it can wait for government to impose new regulations which may be less effective, more burdensome, or both,” Donegan said.


Article Written by Kacy Zurkus | View all articles by Kacy Zurkus