Number plate system proposed for IoT devices to boost security
Image credit: Dreamstime
A government advisor has suggested that unsecured IoT devices should be prevented from connecting to the web to thwart botnets, such as Mirai, and that a number plate-style system could be implemented to boost IoT security.
Permissive attitudes towards the internet and what can connect to it will become untenable as more and more household appliances turn ‘smart’, a leading authority on the so-called Internet of Things (IoT) has declared.
John Carr, a member of the UK government’s principal advisory body on internet safety, said he would support the establishment of a new licensing regime to ban unsecure appliances from being hooked up to the web.
The visiting senior fellow at the London School of Economics and Political Science told E&T: “I don’t think any device should be allowed to be connected to the internet unless it has been certified as secure.”
The likes of the Mirai botnet - a type of malware that laid siege to routers in the UK last year - should act as a wake-up call and prompt tighter regulation, even if that means applying the brakes on innovation, Carr added.
Mirai works by pressganging an army of unsecured IoT devices - ranging from toasters to children’s toys - into its service.
The UK government’s new National Cyber Security Centre already assesses certain types of devices, such as smart energy meters, to ensure they are safe from hackers.
Carr’s comments follow a thoughtful blog post in which he outlined what an “extremely radical” overhaul of the existing, relatively unregulated environment surrounding the internet might look like in the near future.
He even went as far as to suggest “more or less tearing up the internet as we know it today” by creating a new and better version to supplant it.
Carr wrote: “Internet 2.0 would have security embedded at every level. It would slide in alongside the existing internet, would not connect to it, but would eventually become such an overwhelmingly attractive alternative for the vast majority of people that Internet 1.0 would wither away.”
On Internet 2.0 “no one could log in from anywhere unless their identity was known with a high level of certainty”. They would also be barred from connecting via a device that had not been certified as meeting stringent security standards. In such a situation, user-generated content might also not be allowed to exist, with the result that traditional forms of journalism would re-emerge and ‘fake news’ would wither, Carr argued.
In a partly tongue-in-cheek paragraph, he wrote: “Permission-less innovation does not become history, but the rate of innovation, at least in terms of physical devices, likely slows down. Apps may take days longer to reach an App Store as they, too, are more rigorously examined prior to release. At the last count, there were 7,588 different ways to view a video of a cute kitten playing with a ball of wool. We may need to wait a whole extra week for the 7,589th.”
Carr is one of a growing number of voices actively challenging the arguably idealistic assumptions about a free, unregulated internet where anonymity is not merely possible but is often tacitly encouraged and seen as a foundation stone of privacy and human rights.
Abuses ranging from mild trolling on social media to sales of guns, drugs and child abuse images on the dark net have been facilitated because of the secrecy afforded to users of this technology, critics say.
Carr has in the past suggested creating a new worldwide system equivalent to that which is used to identify drivers involved in police incidents. Under such a scenario, internet users would need to use the digital equivalent of a number plate to connect to the web. Those who refused would leave themselves open to prosecution.
Speaking to E&T, Carr acknowledged changing the nature of the internet would “not be easy” and that the changes he proposed would hit less developed countries hardest, but he said the alternative - in which criminals were allowed to flourish and hackers could run rampant - would be even worse.
His cars analogy has also been taken up by Mike Barton, the chief constable of Durham Constabulary who regularly comments on the internet and the challenges it poses for police.
Barton told E&T: “Cars used to be stolen left, right and centre and of course then they started being rated for security. All of a sudden, they’ve now got immobilisers and all sorts and cars don’t get stolen as much.
“Here we have products on the market, like for example a lot of these [IoT] products, which have just got factory-setting security codes like 0000 or 1234, so it’s really straightforward for you to get into them and that’s the back door into other smart computers.
“If you buy a smart fridge and it’s got a factory setting, well, why don’t we insist the factory setting only lasts for a week and then the fridge closes down until you actually give it a discrete code number yourself, so you are actually designing in capability that forces the consumer to make it safer?”
Barton added: “You can’t actually sell a car that’s unroadworthy and you have to take your car to be MOT-ed every year so it isn’t unrowadworthy and if you’ve not got a valid MOT, you can’t get any insurance. It's possible with cars. Why do we allow these [IoT] things to be so dangerous?”