It is not breaking news that the Internet of Things (IoT) is growing—exponentially. It is fast becoming, as many have labeled it, the Internet of Everything.
It has also been obvious all along that the security of IoT devices isn’t keeping pace with that growth. But this news apparently still hasn’t penetrated the general consciousness of many users or creators.
Tim Mackey, principal security strategist at Black Duck, in a recent webcast interview with Security Weekly, noted that gap in response to host Mike Shemas’ opening question: “When you are thinking of IoT, what is one of the first messages you want to send about its ecosystem?”
The biggest challenge, Mackey said, “is the complexity and speed of development. Effectively what we have today is the moral equivalent of a land grab going on, where no matter what a device could potentially do, there’s at least a half dozen or maybe a dozen vendors who are actively pursuing it.”
“And security isn’t necessarily front of mind as much as feature/function and keeping pace with whatever the next new thing is. That is a bit of a challenge,” he said.
Indeed. A recent cover of Newsweek had the headline “Can You Trust Your Toaster?” Inside, above the cover story, was a declaration of the IoT’s bleak reality: “We’re surrounded by devices connected to the internet. Most of them are easy to hack.”
Not only are they easy to hack, but breaches of IoT devices can also do much more than steal data or credentials. They can have physical impacts—taking control of a car, opening door locks of a smart home, spying on a child through a nanny-cam, and so on.
That is one of the primary messages of Click Here to Kill Everybody, the September 2018 book by cryptographer, author, blogger, and self-described “public interest technologist” Bruce Schneier.
And there has been plenty of other reporting in recent years on how easy IoT devices are to hack. But Mackey’s observation reflects what remains the prevailing mindset: For those in the hyper-competitive IoT device market, features and speed trump security. Customers are still much more dazzled by what a device will do than how robust its security is. And developers fear that if they take the time to build security into a product, one of the dozen competitors developing a similar device will beat them to the market.
Mackey noted that among the goals for those making a “shiny new IoT device” are to “make certain that the device is going to be really stable and also is going to meet whatever the budgetary requirements are.”
But that stability is, again, generally about function, not security. Among the things “layered in” to such a device, Mackey said, are Wi-Fi connectivity, which can be hacked, and “some form of Bluetooth interface,” which can be hacked.
“The device is going to communicate with a something—probably a web service of some form or another—and that communication protocol should be something that’s efficient for the device,” he said. And of course, web services get hacked.
This doesn’t mean no thought at all is given to security. Vendors of commercial devices are aware, Mackey said, that they need to “ensure that whatever data is being collected is appropriately secured in some fashion that a consumer would be able to understand and expect.”
Within enterprises, one priority is to make sure that updates aren’t going to change a device so much that it will require things like “retraining my users how to book a conference room from the device.” But another priority is for the devices to “be managed so there is no data bleed. There are a lot of things related to privacy in an employment environment,” he said.
Even if security is a priority in IoT devices, though, it can be tricky. Matt Alderman, a co-host of the webcast, noted that such devices “aren’t running traditional operating systems in most cases. We’re talking truly embedded firmware systems, and that has a whole different nuance from the security perspective, because we can’t take our traditional OS-based approaches and wrap some security around them,” he said.
Mackey agreed, noting that makes it crucial for the hardware to be both stable and secure from the prototype stage.
“It’s very different than in a software world, where we can fail fast and early, and we can apply a DevOps principle on top of it where we are iterating toward success. In the hardware world, that hardware is kind of locked whenever it is first set,” he said.
“So getting it right from a security perspective really means ensuring that the device is stable under adverse conditions. That means there are threat modeling aspects, but also protocol-specific stability requirements.”
Beyond that is the desire of vendors not to let anyone steal their intellectual property (IP). That’s understandable, but it makes fixing security defects more difficult.
“Vendors are going to try and have what’s known as an electronic fuse in place to prevent someone from reading out something that they ought not to, or having some encryption algorithm on top of it. So even being able to debug what is actually running becomes problematic in the field,” he said.
There is, of course, some pressure coming from governments to improve IoT security, in the form of privacy regulations like the EU’s General Data Protection Regulation (GDPR) and the impending California Consumer Privacy Act (CCPA), due to take effect Jan. 1, 2020. Obviously, if data is to be kept private, it has to be kept secure.
But as both Mackey and Shemas noted, most of that collected data will be shifted to a cloud service for analysis, since the devices won’t have that capability. Most of the debate around that is, as Mackey put it, “the slippery slope with data management, because how long are you going to retain that data? Whose data is going to be used to train the algorithms to determine that they are actually coming up with interesting answers?”
But all that becomes much less relevant if the data is stolen by attackers. Which ought to bring the discussion back to what Mackey said was the biggest challenge of the IoT—that “security isn’t necessarily front of mind as much as feature/function.”