F-Secure's Mikko Hypponen on IoT: If it uses electricity, it will go online
Want a more secure PC? Try Windows 10 S, says CRO
Mikko Hypponen, chief research officer at Finnish security company F-Secure, spoke to The Reg at the launch of Sense, a consumer firewall device that aims to "secure your connected things".
Hypponen says IoT is unavoidable. "If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not.
"Home appliance manufacturers will be adding connectivity to every device, no matter how mundane, because the price of adding it will be marginal. Those devices will not be going online to benefit the consumer, they will be going online to benefit the vendor. They want analytics. In 10 or 15 years, they will add this 2-cent chip on every toaster. Now they know where their customers are, on which side of the city, how often do they toast, at what time of day, with what kind of bread, how often there are failures. We can't avoid the IoT revolution by refusing to play part."
Such devices will not rely on home Wi-Fi systems, says Hypponen, rather undermining the principle behind the company's new Sense hardware. Still, currently home Wi-Fi is the norm.
Sense combines a traditional firewall with a cloud service and uses concepts including behaviour-based blocking and device reputation to figure out whether you have insecure devices. It is bundled with other F-Secure services including the Freedome VPN and Windows and mobile security apps. The Sense router is based on the OpenWrt project but locked down so it can only be configured via the F-Secure app. More technical users may be frustrated by the limited configuration options, while others may baulk at the price, £169 with one year's subscription, and £8.50 per month thereafter, despite the fact that it addresses very real risks.
F-Secure Sense, a firewall focused on IoT security
"Since you can't secure the devices with software then you have to secure them from the network. I don't see any other way of doing it. The only other way is that the vendors themselves will fix their problems. That's going to be a long road to travel," says Hypponen.
I mention the cheap Chinese IP camera I bought, which activates uPnP port forwarding by default, makes outbound connections to Chinese peer-to-peer servers with no way to disable them, and is supported by an insecure Android app; ways of hacking into these cameras are easily discovered. How will Sense fix such problems?
"We will work with the vendors to try to get them to fix their own stuff. If they won't fix it then we have no choice other than to block it, or to inform the user and let them continue using a vulnerable device. There is no third option. We are facing problems in this, it's not simple. And the Sense market is brand new.
"I was really happy to see Symantec announce Core [a similar device] at CES in January. I'm not worried about competition because it is a huge market, I'm much more happy to see that they validated what we saw as a problem."
Is anyone doing consumer IoT security right? "Consumer appliance vendors which are serious about this are very hard to find," says Hypponen, "because cybersecurity is not a selling point for washing machines. Price is the most important selling point. This means we are setting ourselves up for failure.
"The solutions for such a situation are things like regulation, or certifications. Regulation almost always fails. I am not a fan of regulation. A good example would be the EU cookie law."
One perhaps surprising example of good practice comes from flatpack furniture retailer IKEA with its TRÅDFRI system used for smart lighting. What is IKEA doing that others are not?
"They are running a tailor-made real-time operating system, so it is not running Linux, it is not running Windows IoT. It's a real-time operating system which is not running any services. They've stripped it down, they've removed everything. There's no open TCP ports at all. It's listening to one UDP port, and it only listens to authenticated traffic. Security patches exist, and they are only accepted from the IP range of IKEA IT, and they are code-signed with long keys. So they're doing exactly the right things. It's not rocket science, it’s just doing it right."
Sponsored: Becoming a Pragmatic Security Leader