Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The Internet of Things: An exploding security minefield

Taylor Armerding | April 14, 2014
Security duo tells SOURCE Boston audience that security is not even an afterthought for small IoT device entrepreneurs.

Everybody from the Federal Trade Commission (FTC) to a unanimous crowd of security experts has been issuing increasingly insistent warnings that security is not being taken seriously in the explosive development of the Internet of Things (IoT).

But things are not improving in fact they are getting worse, according to Mark Stanislav and Zach Lanier, security evangelist and senior security researcher respectively, at Duo Security.

Speaking at SOURCE Boston Thursday in a presentation titled "The Internet of Things: We've Got to Chat," the two said this is in large measure because of what would otherwise be a good thing the democratization of the field. "There are a few hundred IoT-related companies, most of which you've never heard of," Stanislav said.

That means development of the IoT is, "not just for larger companies," Lanier said. "Anyone can make a thing and get $80,000 overnight to do it," from crowd-funding sources. "But the problem is that entrepreneurs are not security minded people. They have no experience with it and no budget," he said. "And they don't know why other people want to break their stuff."

Stanislav and Lanier said their goal is to help those small vendors understand the importance of security, and in so doing, "help them stay out of jail," with an initiative called "BuildItSecure.ly."

The security problem is growing by orders of magnitude. Estimates of the number of embedded devices that will be connected to the Internet by 2020 range from Gartner's 26 billion to more than 50 billion from FTC Chairwoman Edith Ramirez, speaking at a workshop last November.

Lanier, pointing to hardware ranging in price from $25 to $169, said that each, "offers general purpose uses. You buy the thing, create an account and just write application code for it and it sends messages to whatever the device is. It's kind of SaaS that you can stick into something."

The point, he said, is that, "the barrier to entry (for developers) is very low. It is cheap hardware with unlimited possibilities."

And the cheaper it is, the more attractive it is to small developers who may be working out of their basements on shoestring budgets, but it is also much less likely to have rigorous security built in.

In what they called "A Case Study in IoT Failure IZON," the two said they had found 19 vulnerabilities, including unencrypted storage of customer data, information leakage, poor password security, lack of authentication for customer data and poor mobile security in a single IoT device.

No wonder, then, that the "challenges" to the industry include the security of just about everything involved the hardware, software, network and platform along with user awareness and behavior. If they are not addressed, IoT vulnerabilities could result in attackers getting control not just of your refrigerator and thermostat, but your garage door, door locks even the operation of your car.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.