4-Nov-2014 - While innovation is good, without security many will be left wide open to attack.
The Internet of Things (IoT) is about the connectivity of embedded devices, and the ubiquity of that connectivity.
Mark Stanislav, security project manager, and Zach Lanier, senior security researcher, both at Duo spoke at SecTor on The Internet of Fail: where IoT has gone wrong and how we’re making it right.
You can see the Internet of Fail slides here.
“An analogy is the router – it does something important, needs updating, and when you have so many of them they’ve become targets,” said Stanislav. “We’ve gone from Wi-Fi, which is important, to what if one of these things is compromised and your home gets broken into?”
Many users have a mobile app that uses a cloud based service to talk to a device at home. You’ve got systems, apps, web, mobile, and all of that talks to web services. If that connection is hacked or something the device uses, perhaps it becomes a pivot point for attackers.
“If something gets broken it’s like a plate of spaghetti… you’ve got some linguini, some angel hair, maybe some penne… and the notion is disparate components – from the radio technology to the web service it talks to, through the web service it’s running on – are all connected,” Lanier said. “You’re introducing all this risk, because you’ve got a 25 dollar device in your desk or in your light bulbs or something.”
Indeed much hardware is inexpensive and powerful. On kickstarter and Indiegogo people use off-the-shelf commercial parts.
“The barrier to become an IT vendor is very low, and the security experience is too,” said Stanislav. “They aren’t IT people… they’re entrepreneurs hoping to make big money on the next big thing. They’re thinking for example, of putting a printed circuit board with chipsets and wireless chips in a 2cm x 2cm box that they can crowdfund to build and ship over a weekend. While the innovation is good, if those people don’t have their security chops it’s going to leave a lot of people wide open to attack.”
Seeing such projects with security flaws – often from a vendors who aren’t even considering security – got Lanier’s and Stanislav’s attention. That spiraled into helping vendors and researchers put more focus into securing the IoT. Fortunately there’s more focus security now.
“Our goal is an initiative to build it securely,” Lanier said. “We get some of the best IoT researchers in the world and pair them with vendors who are concerned about security in their devices. We try to cut off the concerns we know about, and develop better relationships between vendors and security researchers.”
The duo also curates resources, including presentations and white papers, intended to teach vendors to do a better job, which cascades into more secure products. Vendors are now approaching them, asking for help with how to engineer secure devices.
Vendors the Duo team have already helped include Belkin and Dropcam, while researchers include IOActive and Duo partner bugcrowd, which helps triage bugs between vendors and researchers.
As you can imagine, written agreements are necessary to delineate each sides’ expectations and responsibilities.
“Researchers want to break devices,” said Stanslav. “When you don’t have relationships legal issues arise, and bad blood. This is opt-in, when the vendors say they want us to break their stuff. It lowers the incline of the uphill battle toward secure devices.
“There’s a lot of room for growth, and we hope to interest more before that growth gets out of control, so that we’re not retroactively trying to solve the problems like we are with everything else on the Internet.”