Feeds

Traffic lights, fridges and how they've all got it in for us

Interthreat of things

Protecting against web application threats using SSL

Protective measures

Addressing the problems now should help ease the threat of IoT hacks. The first thing is to push manufacturers to ensure security and privacy by design, says David Emm, senior security researcher at Kaspersky Lab. It's important that manufacturers of such devices, and the organisations implementing them, ensure that security is built in. The first step is to be aware of the potential risk; this can be more difficult if the device manufacturer and the implementation are not being carried out by the same organisation, he adds.

“For example, a car manufacturer may not be responsible for the technology that brings Internet connectivity into the car – or that's used to drive it – in the future. Similarly, it's unlikely that the connectivity built into smart meters will be developed by power companies themselves.

“Not only does this mean that security may not be automatically be 'top of mind' from the start, but deployment of any firmware updates may be beyond the means of the implementer.”

Fortunately, there are a number of groups who are working to create such good practices amongst IoT vendors. The Build It Securely initiative, established by a number of researchers including Zach Lanier of Duo Security, is providing information for companies to help embed security in their processes. It also includes advice on setting up bug bounty programs to reward vulnerability researchers, thereby encouraging firms to make their products more secure.

“This isn't a service, this is kind of like OWASP, we're just providing resources,” Lanier says. “Here's some education on how security researchers work, here is some research to make your stuff more secure.”

Then there’s I Am The Cavalry, a project set up by Josh Corman, which describes itself as “a global grassroots organisation that is focused on issues where computer security intersects public safety and human life”. It will act as a hub for research on the Internet of Things and will hope to coordinate efforts to secure the connected machines that surround us.

It’s also lobbying US government to act on the issues. Corman tells me he has been spending time on Capitol Hill this year, speaking with a number of politicians about what can be done to make the digital controls running everyday machinery less vulnerable to hackers.

Should we slow down IoT?

But even these admirable initiatives will find it hard to cover off the majority of vulnerabilities. Perhaps encouraging corporations and government entities to slow the rise of the Internet of Things would also be wise, so hackable machines don’t form a significant part of our quotidian existence.

Emm and others believe there’s little chance of that happening. There are simply too many economic opportunities. “If this were a government project, or one sponsored by a single company, it might be. But what's driving this is economics – the drive for efficiency and productivity. The benefits that flow from an Internet of Things are much more evident than the potential dangers.”

That’s why Gartner is predicting the number of IoT devices, excluding PCs, tablets and smartphones, will hit 26 billion units installed by 2020. That represents an almost 30-fold increase from 0.9 billion in 2009. This will open up vast revenue streams for businesses, as IoT product and service suppliers are expected to generate revenue exceeding $300bn, mostly in services, by that same year. In a world still reeling from the downturn that started in 2008, which government wouldn’t want to spur on IoT development?

Jordon also says there’s no chance of IoT being slowed down, but manufacturers have the tools available to them to secure their creations. They just need to be convinced to use them. “People will still buy the products either because they are ignorant to the threats or assume that no one would hack into them. The security community needs to help and encourage the manufacturers of IoT devices to accelerate the process of maturing the security of their products,” he adds.

“The lessons have already been learnt on modern OSes. The mitigation techniques are out there and secure development lifecycles are well documented. IoT developers have access to the answers, if end users force them to use them.”

People have the power to make IoT safe. They just need to be told to exercise that power. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.