Internet of Things Needs Future Proofing

Crystal Ball on Tarot cards
Companies making IoT products need to think about making them “future proof” – able to withstand future threats and use cases.

In-brief: Security and IoT experts say the challenge of securing the Internet of Things will be to “future proof” their products against as-yet unimagined threats and constraints.

Internet of Things manufacturers need to think long and hard about how to “future proof” connected devices before they deploy them, or risk exposing the public to everything from inconvenient hacks to physical harm.

Speaking at the IoT Stream Conference at San Francisco’s Bently Reserve on Thursday, the experts warned that security and privacy lapses are a top concern in the fast-evolving Internet of Things market and that more attention needs to be paid to how hardware and software can be maintained over years – or even decades- after devices are deployed.

Despite being the leading edge in technology development and adoption, Internet of Things products often repeat or carry over many of the failings and mistakes of prior waves of technology adoption, from network-based client/server products, to web applications, to mobile applications and the cloud, said Daniel Miessler, a Practice Principal in HP’s Fortify on Demand business.

For one thing, manufacturers of analog or disconnected devices are rushing to connect them to the Internet, but they are also struggling to master the nuances of cloud-based architectures and thorny issues like authentication and security for data at rest and in transit, Miessler said. “In some ways, IoT security is the worst of all worlds,” he said.

Miessler was in San Francisco to promote the IoT Top 10 List by OWASP (the Open Web Application Security Project.), which highlights ten, common security weaknesses that affect embedded devices and other connected systems that make up the “Internet of Things.” Among the issues OWASP is warning companies to be on the lookout for are weak user authentication schemes, insecure mobile application interfaces, and a lack of security around software and firmware updates.

The panel at IoTStream. From left: Todd Greene, PubNub | Ross Mason, MuleSoft | Josh Corman,  SonaType | Justine Bone, Hoyos Labs | Daniel Miessler, HP
The panel at IoTStream. From left: Todd Greene, PubNub | Ross Mason, MuleSoft | Josh Corman, SonaType | Justine Bone, Hoyos Labs | Daniel Miessler, HP

Todd Greene, the CEO of PubNub, said that connected device makers need to think about ways to “future proof” their products: designing features that give them the flexibility to operate globall it easier to comply with shifting international data governance laws and to make it harder for cyber criminals or nation state actors to get access to the data. “I really think you need to get the data off the device and into the cloud,” he said.

Internet of Things products are always on, always connected and (often) exploitable, said Joshua Corman, the CTO of Sonatype and head of the group IamtheCavalry, said that more attention should be paid to the physical safety risks that remotely exploitable devices pose to public health and safety.

Corman and IamtheCavalry have advocated for more public attention to software security issues in connected vehicles, and lobbied Congress and automakers for standards that cover software security. Public safety needs to top any checklist for securing the Internet of Things. “I love my privacy, but I’d like to be alive to enjoy it,” Corman told an audience of technology experts at the event.

Commercial firms see more, connected, sensor-rich devices – from delivery trucks to store shelves – as a way to improve business intelligence, productivity and competitiveness, said Ross Mason, the co-founder of the firm MuleSoft. A growing population of cloud-based platforms, APIs (application program interfaces) and other development tools help them create applications that manage and collect data from remotely deployed devices. “Security starts at the API layer,” said Mason, “but is that API security enough?”

Identity is another huge obstacle for companies that wish to play in the Internet of Things field, noted Justine Bone, the Chief Information Security Officer at the firm Hoyos Labs. “You’re talking about a population of billions of devices,” Bone observed. In the near future, provisioning and de-provisioning IoT devices will be a growing challenge (Greene talked about the chore of manually deleting all his personal data from his car prior to delivering it to its new owner).

Beyond that, identifying the individual or individuals associated with specific devices or even pieces of infrastructure very challenging for companies, many of which already struggle to manage identities on a much smaller scale. Public key infrastructure (PKI) and much wider use of encryption will be needed to make sure that devices that are attempting to engage with other devices or infrastructure are sanctioned to do so, and that those controlling elements of the connected world are privileged to do so.

The consensus among security experts is that Internet of Things technologies are not yet posing acute security problem for most organizations. The Verizon Data Breach report concluded that IoT technologies are not an imminent risk for enterprise security.

Compared to bread and butter online threats like phishing e-mails, web application attacks and malicious software infections, threats from connected devices are an asterisk – almost entirely “proof of concept,” Verizon said in its annual threat report. “Despite the rhetoric in the news about Internet of Things (IoT) device security, no widely known IoT device breaches have hit the popular media,” the company said.

7 Comments

  1. There are some very tangible things that we can do right now that move us a long way towards securing the Internet of Things. Our mantra needs to be:
    o Harden the Devices
    o Secure the Comms
    o Monitor & Manage

    I can’t say to what extent it future-proof’s the IoT, but it certainly makes it more possible. At the very least folks developing things for IoT have to, as a MINIMUM, provide devices with

    o immutable HW ID (which is why Intel Security announced enabling 3rd-party chipmakers on EPID ISO/IEC/TCG DAA, privacy preserving, authentication IDs last year)
    o secure boot
    o whitelisting

    It makes a quantum leap in making the IoT more secure.

    As I discussed in the afternoon at the IoT Stream Conference, when you apply all 3 parts of the mantra, you get the results we’ve seen with the Smart Grid testbed in Texas (running since Dec ’13). The monitoring and management detected the zero-day Heartbleed activity immediately and allowed mitigation to be put in place, distributed to the entire testbed, within an hour. If we can protect critical infrastructure, we can protect the IoT

  2. Hey- awesome comments, IoTSecGuy. Let’s not repeat the mistakes of the past with IoT!

  3. No matter what I tried it always seemed like things
    would get so intense in no time at all. request for them within the movie request kind, and see them added for download.
    In case you’ve lost count, so far there have been five trailers released
    for Season 7 of ‘Sons of Anarchy.

  4. For one this, it relieves you from the tension and anxiety of uncertainty.
    They will also use spirit helpers and other guides which exist
    in the spirit realms and like to help mankind and its
    issues. Many of them can just connect to the person through a conversation.

  5. Pingback: Whitehouse Taps Google Advanced Projects Lead for Software Safety Lab | The Security Ledger

  6. Global learning is the prime aim of these online driving schools.

    The driving school, which is more near to your residence will be
    a better option for you. This method of choosing may work as a fluke for some, but for most others, a well researched choice is always a better option.