Is-IoT-Security-a-Market-for-Lemons-1Since we’ve been looking at IoT security in a more detail we’ve noticed that concerns around connected devices are continuing to rise. This is illustrated by July’s issue of The Economist where there are two articles on the theme outlining the perils of connected devices in the home, and more generally amongst the Internet of Things.

In Home, Hacked Home: The perils of connected devices“,  the author outlines how a Foscam was used by a hacker to shout obscenities at a sleeping baby. This was not the only occurrence. The company responded by upgrading its software and encouraged users to change the default password. Problem solved… or is it?

In another, “Hacking the planet: The internet of things is coming. Now is the time to deal with its security flaws“, the publication explains that “computer security is about to get trickier” when “a world of networked computers and sensors will be a place of unparalleled convenience and efficiency” as IoT drives towards those lofty figures of connected things – measured in billions of course.

Is it a disaster in the making? It could be unless all stakeholders play their part in making sure that systems are made secure, and kept secure over time – because “things” will likely have a lifetime much greater than a PC or mobile phone. The Economist suggests, not billions, merely three things, which will make IoT less vulnerable:basic regulatory standards, a proper liability regime & heeding lessons learned a long time ago.

What else could go wrong? How about a bit of carjacking – of the wireless kind? Andy Greenberg of Wired recently published an article titled Hackers Remotely kill a Jeep on the highway – with me in It. Two hackers, known to Greenberg, had invited him to take a drive in the knowledge that they would be tampering with the vehicle – live! The advice they gave pursuant to their high jinks; “no matter what happens, don’t panic”. Scant advice when they disable your brakes before you slide into a ditch. All this is possible because a cellular connection allows access via the vehicle’s IP address (apparently). We’ll know more about how Miller and Valasek did this after their forthcoming Black Hat talk. Fear not though as there’s good news, Chrysler has released a patch on their website. There’s not-so-good news too: the patch must be manually implemented via a USB stick or mechanic (hmmm).

Following on the automotive theme: At the recent IoT Security Summit hosted at Bletchley Park, Flavio Garcia from the University of Birmingham gave a talk entitled “Automotive Security: The Bad and the Ugly“. Garcia starts by explaining that the context for automotive security is challenging, in part because of the right-to-repair legislation and complex supply chain issues. He then sets to challenge a particular semiconductor manufacturer on its claim that it had “unbreakable security” (a bold statement!) and further outlined how security had been implemented – rather poorly as it turned out.

This brings us to the lemons. Garcia makes a very important point about security – when you cannot assess the quality of the product, buyers will tend to differentiate on price – i.e. the cheapest wins. In this regard, he compares automotive security as a market for lemons.

Given the rise of column inches given over to matters of IoT security, it is clear that much more needs to be done to limit the opportunities for adversaries from hacking into our future connected world. The era of the internet of things is significantly different from the PC and mobile era’s and this time we have the chance to get ahead of the game. This endeavour may be challenged by an impatient profit-motive however, and the desire to rush products to market.

So, is there an acceptable compromise? There has to be. Businesses are starting to realise that this is no longer simply a technical issue – with reputations, profits and potentially so much more at stake, it’s a boardroom discussion. Yet whilst we determine what changes are necessary, we need to applaud the work of the researchers and the ethical hackers for helping us to see the problems more clearly. In this way, we will accelerate our progress with significantly less pain than burying the problem.

There are plenty of horror stories out there but if you want to see an amusing, yet serious take on product security, take a look at Ken Munro’s talk “The Internet of Thingies“.

How can we address the issues? IoT security is a very complex matter. It will take a great deal of collaborative-working on a global scale to make sure the totality of systems (technology, products, services, quality, regulation…) is fit for purpose. Earlier this year, NMI started creating momentum towards that objective by working with a number security experts, product companies, researchers, service providers and more to look at ways to address the near and long-term issues. We’re almost ready to tell you what the answer is – but not quite. In the meantime, if you’d like to be part of the conversation please join in at iotsecurityfoundation.org

[dcwsb inline=”true”]