Venturebeat has a nice, contributed blog post by Michael Daly, of Raytheon on the lurking problem of device insecurity within the consumer Internet of Things.
As Daly sees it, mass adoption of Internet of Things technologies seems destined to leave us with environments populated by low-cost and vulnerable devices whose makers don’t consider their wares valuable enough to maintain.
“Offering a constant stream of security patches and updates to keep low-cost devices safe and functional for the long-term requires money. If vulnerabilities are discovered, patches or updates might be issued, but only in the first year or two. The vendor expectation is that users will need to buy a full replacement or live with the risks — not to mention that users are not very likely to manage patches and updates for non-critical devices.”
In contrast to the kinds of managed networks we’re used to – with vendors (like Microsoft and Apple) pushing out security updates at regular intervals, Daly predicts a more ominous future. “Cheap and vulnerable devices will linger on networks like ticking time bombs, and the choice will be to either replace them or tolerate them with their liabilities.”
Both consumers and businesses will struggle to manage this vast ecosystem of connected devices, as legacy security monitoring and management tolls (antivirus, firewall, intrusion prevention systems) struggle with the scale and diversity of the IoT.
Daly’s article raises many of the same questions as In-Q-Tel CISO Dan Geer raised in his keynote address at our inaugural Security of Things Forum last May. Geer noted that “the embedded systems space, already bigger than what is normally thought of as ‘a computer,’ makes the attack surface of the non-embedded space trivial if not irrelevant.”
Despite the variety of devices and operating systems, Geer predicted that the embedded device space would shape up to be yet another monoculture – this one a ‘low end’ monoculture made up of common off-the-shelf processors, sensors and other embedded components. Rather than try to manage those devices over the long term, Geer suggested building in an “end of life” after which they would stop working, rather than lingering: unmanaged and insecure.