In late April, the National Institute of Standards and Technology released the preliminary draft of its "Securing Small-Business and Home IoT Devices" guide, providing manufacturers with clear recommendations for safeguarding internet of things technologies. This release is part of NIST's broader campaign to improve the default cybersecurity features of IoT devices sold in the U.S., as there are currently no federal standards in place to hold manufacturers accountable for releasing products with known vulnerabilities. With an estimated 20.4 billion connected IoT devices projected to be in use by 2020, according to Gartner, government officials are looking to establish best practices that will mitigate the rising prevalence of network-based attacks and protect consumers from identity theft.
Cybersecurity for homes and small businesses
The focus of NIST's new document is to provide device manufacturers with greater insight into the specific IoT security concerns that threaten consumers and small businesses. The document points out that most full-featured devices — computers, laptops, mobile phones, etc. — possess comprehensive security software to protect users from a range of common threats, from malware to cryptojacking. However, modern IoT-enabled devices are typically designed with less functionality, as they are meant to be inexpensive and limited in their use cases. For example, voice assistants like Google Home and Amazon Echo have a narrow range of capabilities compared to personal computers and mobile devices, yet they collect just as much sensitive information that hackers hope to exploit.
One of the biggest concerns is that IoT devices can be easily hijacked by malicious actors to launch denial-of-service attacks on institutional targets. In 2018, Square Enix and Ubisoft were hit with a series of large-scale DDoS attempts that caused major connectivity issues for their users, SC Magazine reported. Hostile users leveraged a massive botnet of infected IoT devices to flood the gaming companies' servers with more traffic than they could handle, leading to prolonged network interruptions and significant downtime. This type of cybersecurity threat has grown increasingly common, in part due to the unpatched and easily discovered software flaws in many popular IoT devices. But how does the NIST propose to mitigate DDoS attacks?
NIST's manufacturer usage description
NIST's newly drafted guide explores the value of a manufacturer usage description architecture, which would limit the behavior of IoT devices and prevent exploitation from external sources. This is achieved by providing manufacturers with a standardized method to identify each device's type and the network communications it requires to perform its intended function. Once the MUD is deployed, a home or business network would be able to automatically permit or prohibit devices from sending and receiving traffic based on their specified type. This could stop malicious actors from absorbing consumer IoT technologies into their botnet, as the devices would be unable to transmit to unauthorized destinations. Additionally, NIST argues that MUD protocols would benefit almost every user segment, including:
NIST will be accepting public comments for its draft guidance document until June 24, but it will likely be several months before they release a final version. While the agency's recommendations are not legally binding, they do suggest that government officials are considering wider reforms in the IoT space.
Perle offers scalable, high-performance networking tools that can help small businesses and enterprises protect their core systems and keep up with the pace of IoT innovation. Read our customer stories to learn how we've helped other organizations take full advantage of IoT solutions.