The internet of things (IoT) is an $11 trillion opportunity, breathlessly gasps McKinsey & Co. It will change marketing, business, health care, and everything … forever! declares Bosch executive Stefan Ferber and others.
Or it will, if it doesn’t prove to be a gargantuan security hellhole.
[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld’s Security newsletter. ]
IoT introduces massive security vulnerabilities, according to Akamai chief security officer Andy Ellis, and it should be obvious to anyone paying attention to the IoT-fueled DDoS attacks that nailed security guru Brian Krebs. If such attacks depended upon sophisticated evasion of rock-solid security, perhaps we could rest easy, but as Lucian Constantin points out, IoT’s security woes stem from “a lack of basic security controls,” a contention backed up by Symantec research.
Actually, it’s worse than that. As porous as IoT devices and networks can be, they become even more brittle over time, Ellis argues, due to the difficulty in keeping the “things” updated with the latest security patches. In other words, no matter how secure an IoT service starts, it’s going to be very difficult to keep it so.
IoT: Big money, big risk
If we buy into the hype that IoT offers huge opportunity, we should assume the hackers won’t be far behind. Indeed, we’ve already seen plenty of examples of the good guys demonstrating what the bad guys might do: PenTest Partners showed off smart thermostat ransomware; two hackers pushed Chrysler into recalling 1.4 million cars after they demonstrated they could hijack a Jeep while driving; even baby monitors have been hacked.
Not that we make it hard for the hackers. As a recent Symantec’s research bulletin highlights, “Poor security on many IoT devices makes them soft targets, and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.” How nice.
It gets worse. According to the same report, “Most IoT malware targets non-PC embedded devices. Many are Internet-accessible, but because of their operating system and processing power limitations, they may not include any advanced security features.” In other words, a big swatch of IoT-land is not secure by default.
As if this wasn’t bad enough, even if we manage to introduce better security protocols for IoT devices, an even bigger problem looms: How do we keep them updated with the latest security patches?
Most consumers simply aren’t capable of managing the update process, Ellis warns. “If I want to patch [my IoT devices], I need to go to the vendor website, hunt for my model of device, download an executable to my desktop, and run it, when the executable will open a network hole and patch, upgrade the firmware on my device.” Few consumers will be able to figure this out, and even fewer will know that they need to do so.
Let’s say an IoT vendor figures out a way to introduce patches without consumer involvement, though some rightly doubt the patch process will be any better than the initial (in)security. (“Patching is a great idea, when it’s done right. But usually it’s done with the same forethought that went into creating the software in the first place. I.e., none.”) For a minute, however, let’s give the vendor the benefit of the doubt.
IoT vendors may figure out a ways to introduce patches without consumer involvement. Yet even if companies figure out how to patch their networks of devices, there’s also the likelihood that hackers will piggyback on those patches to introduce more vulnerabilities, as a sharp commentator on The Register describes:
Patching sounds good — except that attackers will start inserting attacks via patching mechanisms. This in turn requires code signing. Which in turn requires more CPU/memory power on the IoT. Which in turn will result in every IoT device being a full on mobile CPU. Which in turn makes the patching process more difficult and expensive.
Does this mean we’re doomed? Not yet. With the different DDoS attacks and clever hacks of CCTV and other systems, we’ve been given a wake-up call on IoT. In fact, it’s a big opportunity to reimagine customer experience and more.
But with that opportunity comes a responsibility to get much more serious about security in IoT. Until then, we’re one IoT security breach away from a major consumer retreat from the internet of unsecured things.