It's time to rethink the way we design security for the Internet of Things and put some consequences behind those that don't follow the rules, according to a security consultant.
IOActive broke the news last week that one of the country’s best-known home security systems can be easily overridden and controlled by a simple tape recorder and battery. Last month, it was widely reported that vulnerabilities were found in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors were closed and secured, even if they’ve been opened. And you may remember that last year, IOActive was able to successfully hack a Jeep Cherokee and take control of the vehicle while it was driving down the highway at 70 mph.
All these systems are part of a new connected Internet of Things (IoT). What’s more, nothing has changed in security procedures for such products since these breaches—and dozens of others—came to light.
According to analyst firm Gartner, 6.4 billion connected things will be in use worldwide in 2016, and 5.5 million new things will get connected every day. If that math is anywhere near correct, we can expect breach after breach after breach.
Products are marketed and sold to hundreds of thousands of trusting consumers as “security products” simply because they can be. IoT products don’t fall under anyone’s jurisdiction. Vendors face a potential public backlash that’s unacceptable.
All the attention garnered by breaches has made security a buzzword, but that’s pretty much where it stops in many cases. There has to be vendor accountability, and that likely has to be in the form of regulation or accountability. Today there are no ramifications for putting a product in the market with severe vulnerabilities.
Twitter’s security chief recently called for basic standards for the front end so at least basic boxes are checked before products can go to market. Even better, security needs to be an inherent part of the device design and manufacturing process. A mindset of designing security in from the beginning is more critical than ever as products grow more connected.
Another hole, however, is on the back end. Vendors need an entity they are required to respond to when credible vulnerabilities in their products are brought to their attention. There is no authoritative entity that can hold companies accountable with fines, injunctive measures or even to mandate a basic warning to consumers.
There are challenges to leaving a public entity to do this alone. Organizations like US-CERT are a start, but they don’t currently have the resources to deal with these kinds of breaches—especially as their volume grows.
The Obama Administration is making cybersecurity a priority, with plans for more protection and upgrades to public sector networks. But there needs to be a consortium of public and private organizations and expert entities tasked with developing standards, and government bodies empowered to put at least some teeth into enforcement.
The mission of groups such as IOActive is to stay ahead of the bad guys in identifying vulnerabilities, alerting the vendors and, if asked, proactively working with them to remediate the issues. However, there are too many products and bad guys, and not enough vendor accountability mechanisms and good guys to prevent insecure and unsafe products from hitting the market in mass.
IoT security is bad and will only get worse as millions more devices come online. It's long past time for manufacturers to be adhering to security fundamentals when building their products, and we need to have the conversation about repercussions when they don't.
-- Daniel Miessler is Director of Advisory Services with IOActive and has more than 17 years’ experience in information security.