Security and the Internet of stuff in your life

The IoT isn't just a new attack surface to get into your enterprise — it's giving the Internet eyes and arms.

Your computer is important. It has access to your Amazon account, probably your bank, your tax returns, and maybe even your medical records. It’s scary when it gets pwnd, and it gets pwned regularly because it’s essentially impossible to fully secure a general purpose computing device. But the good news is that, at least for now, your computer can’t climb up the stairs and bludgeon you to death in your sleep. The things it manipulates are important to you, but they are (mostly) contained in the abstract virtual realm of money and likes.

The Internet of Things is different. We are embarking on an era where the things we own will be as vulnerable as our PCs, but now they interact with the real world via sensors and actuators. They have eyes and arms, and some of them in the not-too-distant future really will be able to climb the stairs and punch you in the face.

This piece from the New York Times has been getting some attention because it highlights how smart things represent an increased attack surface for infiltration. It views smart devices as springboards into an enterprise rather than the object of the attack, and that will certainly be true in many cases.

I think that’s only part of the story, though. These things are going to be a bridge between the virtual and real. We are building things that will both sense and act across that bridge. Your fancy thermostat might be a relatively unsecured bridgehead into the virtual world of your home network, as the New York Times points out, or it might be how a remote attacker freezes your pipes. This is getting real.

I’m not writing this point to be a fearmonger, but I don’t think the industry is taking the security realities of this transition seriously. It took 20 years before our pre-Internet personal computer operating systems acquired even the rudimentary level of security one would expect for connected machines, and there is little evidence that our connected device security is being taken any more seriously.

In industrial settings, the refrain is “air gap the important stuff.” But nothing stays air-gapped forever. In the consumer IoT, we don’t think about air gaps because that would be contrary to the whole point of making devices smart.

Maybe someday we’ll be able to make silicon design-time programmable and run-time single purpose at a scale that isn’t in the millions, as a way to make all these devices we’re spreading around less vulnerable. But in the meantime, we need to take seriously at least basic security in the devices we are designing and building.

tags: , ,

Get the IoT+ Newsletter

Software / Hardware / Everywhere

The programmable world is creating disruptive innovation as profound as the Internet itself. Be among the first to learn about the latest news, trends, and opportunities.

  • http://broadcast.oreilly.com/david-collier-brown/ davecb

    At the same time, “things” can really increase your security. Imagine a watch with a cache of your most recent keys, communicating with less secure devices to hand out session keys over a very-short-range link. “New secure message: click against your watch to decrypt”

    • Jim S

      Good point. On balance though do you think all of our smart things are making our lives more or less secure? I guess if you count being able to call an ambulance from anywhere…

      • http://broadcast.oreilly.com/david-collier-brown/ davecb

        It varies wildly with the sharpness and business acumen of the persons developing them. No-one puts security (or reliability, for that matter!) in a proof-of-concept, but an observant developer will often say “this new X is a lot like my old Y, so it’s an advantage to have capability Z”.

        In the case of library systems, which I like to use as an example, Z was confidentiality, and meeting the highest standards allowed Geac to sell everywhere in the world. Security, if you’re selling things into the EU, is a real business advantage.

        Generally, though, I see more klutzy and insecure things than not, and avoid them like the plague, not least because their company may not be in business for very long!