Sad reality: Look, no one's going to patch their insecure IoT gear

'Consumers are ready to roll the dice with their privacy every time they buy a gadget'

You lose again ... Punters forced to roll the dice with their privacy – and there's no saving throw

If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you're crazy.

It's going to be down to manufacturers to secure IoT devices, Intel Security's chief technical strategist says, because consumers will cheerfully give away their security and privacy in the name of convenience.

Scott Montgomery said time and time again non-geeks have shown little interest in the security of their IoT gizmos and were willing to put up with major security failings in things like home alarm systems and door locks in exchange for ease of use.

"Internet security and privacy are already tricky and industry hasn't done a great job of making it more accessible and easier – that's on us," he told the Structure Security conference in San Francisco on Wednesday. "But consumers are very, very ready to roll the dice with their privacy every time they buy a gadget."

A lot of manufacturers aren't getting the message either, he noted, citing two particularly worrying cases. In Canada, a maker of app-controlled vibrators is being sued after Kiwi hackers revealed that the device was recording a whole host of information about their use, and Mattel faced a huge backlash when its Hello Barbie doll was found to be riddled with security holes.

Medical equipment was also singled out for his scorn. There are thousands of health-related devices that are connected to the internet, he said, but there was little reason to do so and the results meant that you can pick up their data online with very little effort.

"If you look at any dark web search engine you'll be able to look at live MRIs going on right now," he said. "You can actually watch eyeballs being cut for Lasik surgery online. I don’t want to say that I've done it because that would be bad and probably borderline illegal but if you did watch it it's actually pretty cool."

However, industry has got the message on IoT security very clearly, he said, citing Exxon as being a clear leader in the field. The oil giant has been conducting a massive infrastructure overhaul with the intention of adding in IoT sensors from oil wells to refineries.

As part of that, Exxon has told its suppliers to take a much firmer look at how these sensors can be locked down. He gave the example of Exxon's production facilities where kerosene and gas are produced by the same equipment and bleed off with IoT-controlled valves.

There's no point in making such sensors too smart, he said. Instead they simply need to know whether to open or close and need no root access or extra functionality that could be hijacked by a hacker. Exxon is enforcing these rules with its suppliers to lock down its network.

Ultimately, manufacturers and chip suppliers need to formalize this process and make it happen, he opined. But in the meantime, if consumers are taking risks with goods it's up to the manufacturers to stop them. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019