Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The right way to secure the Internet of things

Roger A. Grimes | April 16, 2014
Security products and practices will be reinvented to protect the Internet of things, but the real solution centers on a simple idea

IoT (Internet of things) had to happen eventually, like flying cars. As it turned out, we got IP-connected cars first, not to mention IP-connected bathrooms, gardens, dog collars, shoes, and on and on. Think of it this way: We weren't given IPv6 with its 3.4×1038 unique IP addresses just to connect computers.

To be sure, IoT will be full of security vulnerabilities. The majority of the people coding these "things" have less security training than the average reader of this column. They aren't threat-modeling attacks. They've never heard of buffer overflow, DDoS, or credential theft. They're just good at programming firmware and making "things" talk to each other.

You don't have to be a guru to realize every previous attack that was possible on PCs (including worms, viruses, and trojans) will occur across IoT. It happened on mobile devices and cellphones, though we had many years to prepare.

The lack of threat modeling by nearly everyone developing an IoT device will ensure that thousands of pervasive security problems will emerge. Developers simply can't anticipate all the different devices their hardware will interact with. They won't do input checking well enough. They won't be able to comprehend all the foreign networks and new protocols that will fall between point A to point Z. They won't be able to anticipate the myriad ways their device will be abused. They will have poor-to-nonexistent event logging. Privacy will be broken all the time, and anything your device knows about you, including financial information, will be readily available to cyber criminals.

This is despite the fact that nearly everyone in today's computer security world understands many of the challenges. We already have an RFC about it. You can read a book about it. Nonetheless, society will get it wrong, and those of us in the computer security world will have job security until we retire.

What can fix it? My excellent colleague, Shelly Bird, recently reminded me that a lot of what we need is device identity. In order for us to begin securing IoT, we have to be able to reliably authenticate devices and apply the appropriate security controls to those devices -- and be able to identify misbehaving devices and remediate them.

I can already see tens of thousands of toasters used in a massive DoS attack against InfoWorld one day.

The best solution is one that I've been writing about for at least a decade -- the solution of pervasive authenticated identity (see my "Fixing the Internet" whitepaper). We'll never be able to fix all vulnerabilities in all devices. Heck, we can't even do that on a single device. Trying to fix individual problems on individual device platforms is like playing whack-a-mole across an endless prairie.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.