In-brief: Security and IoT experts say the challenge of securing the Internet of Things will be to “future proof” their products against as-yet unimagined threats and constraints.
Internet of Things manufacturers need to think long and hard about how to “future proof” connected devices before they deploy them, or risk exposing the public to everything from inconvenient hacks to physical harm.
Speaking at the IoT Stream Conference at San Francisco’s Bently Reserve on Thursday, the experts warned that security and privacy lapses are a top concern in the fast-evolving Internet of Things market and that more attention needs to be paid to how hardware and software can be maintained over years – or even decades- after devices are deployed.
Despite being the leading edge in technology development and adoption, Internet of Things products often repeat or carry over many of the failings and mistakes of prior waves of technology adoption, from network-based client/server products, to web applications, to mobile applications and the cloud, said Daniel Miessler, a Practice Principal in HP’s Fortify on Demand business.
For one thing, manufacturers of analog or disconnected devices are rushing to connect them to the Internet, but they are also struggling to master the nuances of cloud-based architectures and thorny issues like authentication and security for data at rest and in transit, Miessler said. “In some ways, IoT security is the worst of all worlds,” he said.
Miessler was in San Francisco to promote the IoT Top 10 List by OWASP (the Open Web Application Security Project.), which highlights ten, common security weaknesses that affect embedded devices and other connected systems that make up the “Internet of Things.” Among the issues OWASP is warning companies to be on the lookout for are weak user authentication schemes, insecure mobile application interfaces, and a lack of security around software and firmware updates.
Todd Greene, the CEO of PubNub, said that connected device makers need to think about ways to “future proof” their products: designing features that give them the flexibility to operate globall it easier to comply with shifting international data governance laws and to make it harder for cyber criminals or nation state actors to get access to the data. “I really think you need to get the data off the device and into the cloud,” he said.
Internet of Things products are always on, always connected and (often) exploitable, said Joshua Corman, the CTO of Sonatype and head of the group IamtheCavalry, said that more attention should be paid to the physical safety risks that remotely exploitable devices pose to public health and safety.
Corman and IamtheCavalry have advocated for more public attention to software security issues in connected vehicles, and lobbied Congress and automakers for standards that cover software security. Public safety needs to top any checklist for securing the Internet of Things. “I love my privacy, but I’d like to be alive to enjoy it,” Corman told an audience of technology experts at the event.
Commercial firms see more, connected, sensor-rich devices – from delivery trucks to store shelves – as a way to improve business intelligence, productivity and competitiveness, said Ross Mason, the co-founder of the firm MuleSoft. A growing population of cloud-based platforms, APIs (application program interfaces) and other development tools help them create applications that manage and collect data from remotely deployed devices. “Security starts at the API layer,” said Mason, “but is that API security enough?”
Identity is another huge obstacle for companies that wish to play in the Internet of Things field, noted Justine Bone, the Chief Information Security Officer at the firm Hoyos Labs. “You’re talking about a population of billions of devices,” Bone observed. In the near future, provisioning and de-provisioning IoT devices will be a growing challenge (Greene talked about the chore of manually deleting all his personal data from his car prior to delivering it to its new owner).
Beyond that, identifying the individual or individuals associated with specific devices or even pieces of infrastructure very challenging for companies, many of which already struggle to manage identities on a much smaller scale. Public key infrastructure (PKI) and much wider use of encryption will be needed to make sure that devices that are attempting to engage with other devices or infrastructure are sanctioned to do so, and that those controlling elements of the connected world are privileged to do so.
The consensus among security experts is that Internet of Things technologies are not yet posing acute security problem for most organizations. The Verizon Data Breach report concluded that IoT technologies are not an imminent risk for enterprise security.
Compared to bread and butter online threats like phishing e-mails, web application attacks and malicious software infections, threats from connected devices are an asterisk – almost entirely “proof of concept,” Verizon said in its annual threat report. “Despite the rhetoric in the news about Internet of Things (IoT) device security, no widely known IoT device breaches have hit the popular media,” the company said.