In-brief: Security, personal safety, privacy and policy are converging in what might be called a “post recall reality” for the Internet of Things. How to respond will be a key issue as top researchers and policymakers gather in Cambridge next week for The Security of Things Forum.
It has been a momentous six months in the life of the Internet of Things. In close succession, the world witnessed not one but two recalls of “connected” devices prompted by concerns about malicious cyber attacks. That, on top of the steady drum beat of warnings and research reports underscoring the privacy and security risks of the IoT.
Those events, combined with stirrings in both the legislative and executive branches of the U.S. Government suggest that the Internet of Things has crossed over into a new stage – what we might call a “post recall reality.”
The signal event of this transformation was, of course, Fiat Chrysler’s recall of 1.4 million late model cars in July. The recall was prompted by research conducted by researchers Chris Valasek (then of IOActive) and Charlie Miller (of Twitter), who developed a method of wirelessly attacking critical vehicle systems on Fiat Chrysler cars equipped with the company’s UConnect wireless connectivity software.
After initially responding to Miller and Valasek’s research with an (optional) software update, Fiat Chrysler instituted the recall to raise awareness of the need to apply the update, going so far as to ship USB drives containing the upgrade to owners of affected vehicles.
Within days of the Chrysler recall, there was another safety warning, this time from the Food and Drug Administration (FDA) which, on July 31st, advised hospitals not to use Hospira Inc’s Symbiq infusion system. That followed independent research by Billy Rios and Jeremy Richards on the Hospira pumps that prompted a warning from DHS about vulnerabilities in wireless drug infusion pumps and an earlier FDA “safety advisory” regarding the pumps. The security vulnerabilities in question could have allowed cyber attackers to take remote control of the system or pivot from the Hospira devices to other devices connected to a medical device network in a clinical setting.
Taken together, those two incidents suggest that concerns about the security of connected devices – especially those that provide life sustaining (or life threatening) services – have taken on a new seriousness, and that concerns about security and privacy issues created by the IoT have moved from the white board to board room, the halls of Congress and the headlines.
Which isn’t to suggest that anyone has solved the IoT and security problem. Just this week, researcher Mark Stanislav and his colleagues at Rapid7 unveiled research on a slew of wireless baby monitors that revealed a host of serious and – in some cases – remotely exploitable security holes. Despite having informed the manufacturers of the devices about the holes some two months ago, not a single one had a software fix in place by the time the researchers went public with their work. One firm hadn’t even acknowledged receipt of the researchers pro bono work.
This confluence of security, personal safety, privacy and policy – what I’m calling a ‘post recall reality‘ are going to be central topics of discussion this week at a very special event co-hosted by this blog and our friends at The Christian Science Monitor Passcode. The Security of Things Forum will bring together some of the country’s top researchers and sharpest minds to unpack these issues and to begin to chart a course towards a safe, secure and reliable Internet of Things that allows us to extend the reach and possibility of technology without undermining our privacy or civil liberties. Among our guests: Chris Valasek (now of Uber), Mark Stanislav and FTC Commissioner Julie Brill.
If you’re in the New England area, I encourage you to register to attend the Forum, which is happening in Cambridge on September 10th. As a Security Ledger reader, you’ll get 25% off the price of admission when you register using this link.