The reality is not all bleak, however, say experts like Zach Lanier, director of research at Cylance. He noted that many consumer devices, “may not store enough data locally to make it worth locking out the user, not to mention that a factory reset may clear up the issue – assuming the attacker hasn't tampered with or otherwise flashed malicious, backdoored firmware.”
Also, given the awareness of the growing threat, there are growing efforts to address its security risks. Those initiatives include BuildItSecure.ly, the Cloud Security Alliance IoT working group, the BSIMM and the Open Web Application Security Project (OWASP).
Lanier, who is involved with BuildItSecure.ly, said the goal is to, “identify the various components that make up an IoT device, as well as the supporting services, and their respective vulnerabilities and threats; and help educate vendors and customers on the necessary steps to ensure the security of these products and platforms.”
Another example is a report released earlier this month by the IEEE Center for Secure Design titled “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” which pointed to security flaws the wearable industry should address and proposed security guidelines for those devices.
And Brian Witten, senior director, IoT, at Symantec, said his firm is pushing what it calls “four cornerstones of security” for IoT devices, which include having the capability for field updates.
“Without the ability to update your devices, you have no way to predict how they'll be attacked in the years to come, and attackers are quite nimble,” he said.
Field updates carry their own risks, however. Geer, in a BlackHat keynote address, noted that if devices have remote management interfaces, “the opponent of skill will focus on that and, once a break is achieved, will use those self-same management functions to ensure that not only does he retain control over the long interval but, as well, you will be unlikely to know that he is there.”
Geer recommended that embedded systems become more like humans – in that they would, “be certain to die no later than some fixed time,” and therefore be replaced.
All of those, however, could be described as “carrot” incentives for better IoT consumer security – they offer assistance and encouragement, but no sanctions for lax security.
And there are currently no laws that mandate specific security requirements for IoT consumer devices. There is not even an established seal of approval from an Internet organization comparable to Underwriters Laboratories (UL) which, as Dormann put it, tests and certifies products so, “a consumer has some amount of certainty that it won’t burn your house down.”
Sign up for CIO Asia eNewsletters.