Will a new IoT rating system be a game changer for cybersecurity?

This week, the Biden Administration convened a meeting at the White House to discuss Internet of things (IoT) ratings, with the intention of improving the cybersecurity of Internet-connected devices. Launching in 2023, representatives from the public and private sectors intend to form a labeling system where products are rated based on their cybersecurity. Ultimately, the administration’s goal is to implement a barcode-like label that consumers and organizations can scan to learn more about a device’s security performance. 

The initiative comes at a time when IoT devices present unprecedented threats to organizations and consumers alike. IoT devices currently exist in a sort of “Wild West” environment – organizations and consumers are largely in the dark when it comes to the security of these devices. As recent events have shown, the consequences of using and deploying vulnerable IoT devices can be disastrous and even life threatening. 

The Status Quo Explained

The proliferation of IoT devices has presented security challenges to their users. Too often is security performance for these devices ignored or inadequately addressed; and much of this is due to a market-driven need to hit the market quickly, cheaply, and with as little friction as possible. The IoT market is a fast-paced, profit-focused industry where security is often an afterthought. 

As such, the status quo of IoT device security is lacking at best. This means organizations and consumers are likely to at some point use – individually or at scale – a vulnerable IoT device. For an organization this could mean deploying a vulnerable GPS device to hundreds or thousands of delivery vehicles; and from the consumer side of things, this could mean personal information is easily intercepted by hackers given a device’s poor communications security.

Recent research showcases the dangers of IoT devices

In July, Bitsight discovered critical vulnerabilities in a vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more. The scope and significance of these findings alarmed global user bases of organizations and consumers – how could a vehicle GPS tracker potentially cause so much harm? 

A particularly risky element of the latest IoT devices is their ability to become one with physical systems like vehicles and other machinery. The MiCODUS MV720 isn’t just any GPS device – it requires professional installation, granting it access to the vehicle’s physical gas line. This means whoever controls the device controls the vehicle's operability; if an attacker gains access to the device, then the attacker can shut off the vehicle’s gas anywhere, any time. 

And what about the third-party implications? If your organization is dependent on an organization with a large footprint of vulnerable devices like the MV720, you could end up experiencing supply chain disruptions. Operational disruptions could mean lost revenue, reputational damage, legal exposure, and much more. 

IoT device ratings: a step forward

The status quo of IoT device security leaves organizations and consumers at the mercy of potentially incompetent, or even malicious manufacturers. Initiatives like the one being discussed at the White House this week serve as a solid step forward towards setting the foundation for a safer, more transparent future of IoT cybersecurity.

Key questions must be answered. Who should create an IoT rating system? Who will comply with it? Will the market adopt a system? Will it improve device security? Bitsight looks forward to contributing to this important, emerging effort.