With 2013 wrapped up it’s worth taking a few minutes to discuss a trend we saw on the rise and the implications of not just the marketplace related to that trend, but also the interaction of the federal government. While the preceding may allude to the NSA, breaches, or some other giant topic for the year, I’m actually speaking about a much subtler subject that’s really started to take a life of its own — the security of the Internet of Things (IoT).
In January 2012, a person decided to aggregate hundreds of poorly secured TRENDnet IP cameras. This led to the FTC taking a closer look at how TRENDnet was managing information security and ultimately led to a complaint being filed against the company. This past September, the FTC settled their complaint and with that settlement came heavy regulation against TRENDnet including restrictions on sales language, mandatory security audits, and even the establishment of an information security program.
While the TRENDnet situation was very public, it was merely the first salvo in what will surely be a long war of market speed versus government oversight on these products. With the explosive number of Internet-enabled devices being created and marketed for purposes ranging from home security to feeding your pet treats, the limits to what people will buy and put on the Internet likely has no real limit.
The uptick in Internet-enabled devices is extremely obvious if you frequent the crowd-funding web site, Kickstarter. A quick search will reveal an Internet-enabled toothbrush (complete with iOS application) and a 360-degree web camera featuring GPS and live Internet streaming. The purpose of Kickstarter is of course to help would-be products see the light of day and provide the visionary behind each idea the money to bring it to market. Unfortunately that premise does lead to an important question: how many of these product designers are information security experts?
Of course the ecosystem of Internet-enabled devices is much larger than just crowd-funding web sites. For example, the web site Postscapes states that they “track the Internet of Things”. For any security researcher looking for a weekend project, this is the place to find an Internet-enabled device to investigate. After spending a few minutes reviewing the web site, two things will become immensely clear:
1) People really, really love Internet-enabled stuff
2) Most of these devices have no need to exist, let alone receive an IP address
So what does 2014 hold for the Internet of Things and information security? We’ll likely see the FTC, led by their Chairwoman, Edith Ramirez, continue to wield a large stick against vendors not taking security seriously enough. That means security researchers are tasked with helping discover, report, and guide remediation on these issues so that we have examples of what not to do. Without bringing these grand failures of security to light, consumers and the FTC will be in a tough position to make real change possible. One thing is for sure, we’re at a tipping point and the next year will surely be a good test to see which direction we’ll go in for the IoT.
Bio: Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, start-up, and corporate environments, primarily focused on Linux architecture, information security, and web application development.
Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.