IoT security is always a hot topic and the debate stepped up over the past month. You might expect commentators to bemoan the lack of current IoT security standards – and they did. More surprisingly, others unexpectedly called on the industry to accept shortcomings inherent in the Internet of Things.
A quick recap: IoT, or the Internet of Things, describes the billions of connected devices that gather up and send data. Embedded sensors and actuators are turning up everywhere from cars and toys to vacuum cleaners and home appliances.
The problem is, manufacturing costs for connected devices are so low that security becomes an expensive afterthought. Last year, the Mirai botnet involved attackers taking control of connected IoT devices like home routers and security cameras. They used the bandwidth for those compromised devices to launch some of the biggest DDoS attacks in history.
Many security experts worry that Mirai was a sign of things to come. A US Department of Defence-funded study from Carnegie Mellon University tested home routers from 13 manufacturers, and found security flaws in all of them.
In a keynote at the Sec Tor conference last month, Bruce Schneier called again for governments to regulate IoT security. He has been banging this particular drum for some time. Schneier argues that industry alone can’t – or won’t – address IoT security issues if left to its own devices (excuse the pun).
As Brian Honan pointed out in a recent SANS newsletter, Europe is already looking at regulating this industry. He linked to a story about how the EU’s network security agency ENISA looked into IoT devices. ENISA doesn’t like what it’s found, and has proposed a baseline security spec, along with a ‘trust label’ scheme.
As a counterpoint, the researchers best known for hacking into a Jeep Cherokee while it was driving have a different take on the current state of play. During a keynote at the Black Duck conference, Charlie Miller and Chris Valasek said the industry needs to accept imperfect security for IoT. “The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security.”
Just to be clear, they’re not making an irresponsible case for leaving things as they are. As the report in ThreatPost elaborates, they call for the industry to focus on the most pressing IoT security issues. If that means ignoring some of the less urgent risks, then that’s an acceptable tradeoff.
“Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritise personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.”
Last month, Help Net Security polled five experts about the current state of IoT security. The piece has some practical advice on steps to take for any organisation embarking on a potentially risky IoT initiative. As for end users, F-Secure’s Mikko Hypponen is less optimistic. He believes they will only take IoT security seriously when their devices will get infected with ransomware. We’ll need to stay tuned to find out how this story ends…