How the BSI protects the IoT from itself
Have you ever bought an internet of things (IoT) connected smart lock for your front door? One such device, which we can’t name here, contained a serious cyber security vulnerability that affected all its users, but luckily, before it got to market, the crack team of testers and researchers at the British Standards Institute (BSI) got on the case to lock it down.
This flaw hinged on the commissioning process during the device set-up, says David Mudd, the BSI’s global digital and connected product certification director, who oversees such matters. If the device could be captured by a malicious actor during the set-up process, it became possible to spoof the hub to roll it back to a long-since superseded security standard and take control.
But how likely was that to happen in reality? Not very, Mudd tells Computer Weekly. “This is a smart lock,” he says. “For someone to make this work, they’ve got to know I’m buying a smart lock, be there at the time that the commissioning signal is sent or have someone or something sat there waiting for that particular signal to send.
“And at that point, they could potentially exploit a vulnerability that was declared six years ago that there has been no evidence that anyone has actively exploited. It’s a lock. If they want to break into your house, they’ll stick a brick through your window. We’ve got to look at what’s practical.”
Such scenarios are not uncommon when it comes to cyber security disclosures, particularly those that relate to flaws in wireless networking protocols – a common problem with the IoT. Often they require such specific conditions to be fulfilled in order for a cyber criminal to gain anything from it that the actual danger of exploitation in the wild is simply impractical.
This is changing now to some extent in the business world, where cyber criminals are conducting increasingly well-researched and targeted attacks, but for the average consumer, it’s not really a consideration.
“That’s something we really focus on when we’re assessing a product – what is the environment it’s intended to be used in and what are the real attack vectors likely to be as a result of compromising that product?” says Mudd.
The word pragmatism isn’t terribly sexy, but for the BSI, it’s a huge deal. “One of the differentiations I see in how we approach things is around taking a very pragmatic approach about what risk really is,” says Mudd.
Incidentally, Mudd’s team wouldn’t suggest you buy this particular lock and use it on a bank vault; but for home use, it was passed as fit for purpose. “Nothing will ever be 100% secure, but what we’ve got to say is that it’s secure for its intended use,” he says.
An IoT guarantee
Established just under 120 years ago as the Engineering Standards Committee, the BSI serves as the UK’s national standards body across a huge range of areas. Its Kitemark seal of approval was first used in 1903 and has become famous – it can be identified by over 80% of UK adults, the BSI claims.
Its IoT Kitemark, which launched in 2018, guarantees that a product meets several criteria: that the product must achieve and maintain conformity to the ISO 9001 standard, have passed relevant performance and safety tests, interoperability tests between it and the internet, and initial penetration tests. It must also undergo regular monitoring and assessment, consisting of functional and interoperability tests, more pen testing, and a Kitemark audit to review pen-testing results in context and what actions have been taken.
As Mudd says, this doesn’t mean every product you see on a shelf that carries the Kitemark is ironclad. “When we’re looking to assess a product, we will never say that product’s secure,” he says. “What we will say is we have looked at its intended use and can say this product has the appropriate controls in place for that.”
The BSI also has some leeway to be pragmatic with how in-depth its testing needs to be. “Where it’s a product that has safety or security as its primary function, we will generally test that ourselves, in our lab, to a very high level,” says Mudd.
However, if a product has a different function that may not be so critical, the BSI will assess the technical files, but will let other certifying organisations out in the market assess that the product performs its core function, for example as a speaker or a hairdryer.
At the core of the testing are the 13 principles contained in the Secure by Design code of practice drawn up in 2018 by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC). The first three principles of the code – that all consumer IoT device passwords must be unique, and not resettable to any factory setting; that IoT device manufacturers must have a public point of contact for anybody to report a vulnerability, and that reports are quickly acted upon; and that manufacturers must explicitly state a minimum length of time for which devices will receive security patches when sold – are now being legislated on.
“From my point of view, there is nothing complicated in those 13 principles that any manufacturer should not be able to do at the outset and design that in,” says Mudd. “But what we do see is that all too often, products fail even on those first three.
“Default passwords is an obvious one, but having a formal vulnerability disclosure policy and having a policy on software updates – it’s quite often those areas that companies are very wary of signing up to and committing to, but we will not put a mark of trust on any product that the manufacturer is placing it on that doesn’t have a responsible disclosure policy.”
Mudd understands why manufacturers might be concerned about these last two principles, but warns that sticking your head in the sand is worse, particularly when it comes to responsible disclosure.
“One of the key areas that we do see as being an issue here is that head-in-the-sand approach,” he says. “Too often I hear at conferences people saying they won’t get hacked, their product’s just a widget, just a light bulb, just a sensor – who’s going to be interested in that? Or that they use military-grade encryption, therefore they’re safe. There seems to be still some lack of ownership among manufacturers placing products on the market.”
Mudd reckons there are several reasons why this might be. Firstly, a lot of manufacturers are moving into the IoT sector that are new to it and don’t necessarily understand the risks, or are perhaps using third-party technology to enable a minimum viable product (MVP) very quickly without having appropriate domain knowledge.
“The key point here is to acknowledge that there’s going to be an issue and to have some process of managing it,” he says. “But we will not put a mark of trust on a product if the organisation does not have that.”
The BSI also tests around interoperability, because even if the product can be shown to perform its core function adequately, this doesn’t give any assurances on, for example, the security of the firmware or chipsets, and what service-level agreements (SLAs) might be in place with any third-party suppliers. Maintaining this level of assessment takes more than just a physical test in a lab; it requires certification of the device’s controlling app, and any cloud storage and management systems associated with it.
Often, this will require the BSI to send people into the manufacturer to answer some key questions, such as: what are the skill sets of the design team; are they actually working to secure by design principles; how do they actually relay that to their supply chain; what SLAs have they got with their supply chain; and what are they doing for horizon scanning?
“This is just as critical for placing a mark of trust in the product as the physical testing, and that we see as a real differentiator,” says Mudd.
Mudd stresses that one of the central tenets of the IoT lab’s mission is not to spread fear, uncertainty and doubt, either among buyers of smart connected devices, or among the manufacturers submitting to the process.
“We’re not saying you need to get your product tested or you’re going to get hacked, but rather, there’s a lot of uncertainty out there and we can help embed trust in your product, reduce the risk around it, and help you differentiate,” he says.
“We see this as a positive thing, not as something you need to do to show you can’t get hacked. Our Kitemark doesn’t make a product good, our clients make the product good and that Kitemark reflects what they’ve done to make that product good and to differentiate.
“That’s the key message – it’s how to prove to the world that you’ve done the right thing … and enabling not just our clients to differentiate, but enabling consumers to start to understand the messages and keep up.”