Let’s all think back to 2009 when “cloud computing” was first entering the majority of technologists’ lexicon. There was much groaning towards the name with statements such as, “we’ve all been doing this for years” and “this doesn’t change anything”. Now fast-forward to the present and you may notice a similar line of dialog about how the “Internet of Things” isn’t really that important. Unfortunately for dissenters, they couldn’t be more wrong.
With the recent action of the FTC against TRENDnet for their failure to adequately secure their IP web cameras, the opening salvo for Internet-connected manufactures has already happened. With an increase in available chipsets (Electric Imp, Arduino, etc.) and a reduction in cost to put products to market (3D printing, anyone?), the horizon for numerous new Internet devices is well within view. If larger organizations such as TRENDnet can’t properly secure devices, why do we think that those people crowd funding or bootstrapping a new device will?
The risks facing consumers are tremendous due to the access that each of these Internet-connected devices may potentially provide to an attacker. While a web camera may seem like a threat due to the privacy implications of an attacker being able to see someone’s home video feed, the ability for that same camera to be a jump-point into the rest of a consumer’s network is even more of a concern. Now consider this same sort of risk across numerous devices that most people will connect to the Internet over the next few years.
Because each of these IoT devices likely leverages third-party service providers to function, there’s an even greater increase in attack surface. If a single vendor was broken into, there’s very little stopping most criminals from exploiting proxy connections or other means that would be available in typical function of an Internet-connected device. As with cloud computing, the security perimeters for many of these devices is non-existent and rely on authentication in many cases as the only means of protecting consumers from having their products abused.
It’s critical that service providers and IoT device manufacturers begin to build strong authentication into their solutions, ideally in such a way that even in the event a provider is compromised, the consumers themselves won’t be in direct danger. Much like cloud computing exposes the warts of many organization’s security programs (or lack there of), the Internet of Things will quickly put those products that don’t adhere to best practices into a very poor light for not executing on protecting the consumers they are selling products to.
If we as the information security community don’t rapidly begin helping understand the landscape of the IoT, we’ll see more interventions from the FTC and other governmental bodies trying to bring sanity to this wild west of technology we find ourselves in. The benefits of the IoT are certainly great but that excessive connectivity into our lives needs to be tempered against the realities that information security is hard and we have too much at stake not to be cautious.
Mark Stanislav | Duo Security | @markstanislav
To find out more about our panel members visit the biographies page.
