September Round Up of News That Proves Trust Is the Point
What's been going on in the world of IoT? September was a busy month. Let's get caught up.
- Homeland Security is taking notice of the Internet of Things' potential safety breaches
- A consultant built a set of IoT-related best practices
- DEF CON 24 continued to reveal major vulnerabilities in name-brand devices
- Survey data from the Online Trust Alliance shows that just about every vulnerability reported in the last year could have been prevented “easily”
Speaking at the Security of Things forum in Cambridge, Robert Silvers of Homeland Security made a strong case for securing ourselves now instead of in fifteen years from now. The bottom line is that failing to invest in appropriate security protocols and the technology to uphold them will be exponentially more expensive than designing security measures into the Internet of Things. We have a chance to make security as affordable and efficient as it will ever be in the next 20 years as we build the industry from the ground up. Silvers says we cannot pass up that opportunity, and we agree.
This involves connecting devices with servers across the US, both for the public good, for private use, and for industry advancement. That's why Silvers has started consulting with IoT-related companies across the continent to devise a system of unifying principles and best practices. We'll continue to report on what he produces.
This year's annual DEF CON event was held in August, and the hack-a-thon it hosted reportedly revealed 47 recently discovered vulnerabilities across 23 devices, from 21 name-brand manufacturers—including Samsung and Subaru, including:
- 75% of smart locks investigated could be compromised “easily”
- The ongoing use of hardcoded and plain text passwords continues to create avoidable vulnerabilities
- Tigro Energy solar panels let hackers gain access to the plants, potentially shutting down small and medium power generation facilities
According to CIO Dive, the Online Trust Alliance (a charitable organization in Bellevue and Washington D.C. ) collated data from various enterprises and organizations to make an alarming conclusion: all IoT consumer product security issues reported November 2015 could have been avoided.
As if channeling Robert Silvers' own call for unifying principles and best practices, the OTA identified these three basic problems in today's market-ready devices:
- Poor credential management lets unknown users access device data
- Many companies do not disclose their consumer data collection policies
- Problems can be caught with rigorous and systematic testing before launching
The OTA has developed a new “IoT Trust Framework” for developers to implement in new products and services moving forward, which should inform companies how to avoid basic pitfalls like the ones we have seen this year.
Citing multiple instances of commandeered laptop cameras, hacked baby monitors, and compromised “smart” Wi-Fi networks that can shut down home appliances, IT Portal has raised a red flag on the current state of IoT consumer products. Yet it is not just the devices themselves that cause concern.
IT Portal points to the insecure traffic of consumer data between devices and enterprise servers that creates the vulnerabilities. Failing to encrypt that flow of data has allowed dedicated hackers to access devices with backdoors, and the “watered down” operating systems on most non-PC Internet-enabled devices has made that a straightforward task.
The solution? IT Portal suggests three:
- Shrink the pool of “trusted” computing bases to limit unwanted access
- Share only encrypted data between devices and servers
- Rigorously apply identity protocols to absolutely everything interacting with Internet-enabled systems, no matter how small.
While designing security into IoT systems from its inception remains a key theme in September's developments, it has become clear that the Department of Homeland Security hit the nail on the head by calling for a set of security standards and best practices. The DHS, the Online Trust Alliance, and the white-hat hackers at DEF CON have made it clear that the IoT infrastructure could very well collapse from consumer mistrust unless enterprises and governments alike begin taking the issue seriously.
And, as always, they have proven that trust is the point.