Heartbleed & IoT: How Much Worse it Could Get
Yes, Heartbleed was bad, but at least it was limited in its scope. It couldn't hijack your toaster, after all. But in the age of the IoT and very vocal toasters, will that still be true? According to Bruce Schneier (in an interview with Scott Berinato), there are serious security risks that come along with the IoT:
Heartbleed would have been much worse in a world of Internet enabled thermostats, refrigerators, cars, and everything else, and that’s the world we’re headed toward.
In an essay on his own website, Schneier elaborates on the problem. It begins, Schneier argues, with specialized chips that are made to be cheap. They are a "bang for the buck" type of product. Then the ODMs and brand-name companies buy the chips and build servers, add features, create UIs, and so on. That, Schneier says, is where things fall apart:
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it's shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn't a priority.
And it escalates:
To make matters worse, it's often impossible to patch the software or upgrade the components to the latest version. Often, the complete source code isn't available . . .
Even when a patch is possible, it's rarely applied. Users usually have to manually download and install relevant patches. But since users never get alerted about security updates, and don't have the expertise to manually administer these devices, it doesn't happen . . .
The result is hundreds of millions of devices that have been sitting on the Internet, unpatched and insecure, for the last five to ten years.
All of this, Schneier argues, is only going to get worse as the Internet of Things grows. The IoT brings a vast network of loosely-secured devices, people are aware of this thin security, and were Heartbleed to happen a few years down the line, it could be far more catastrophic. The solution may be costly, but it is clear: Processes must be put in place to more easily and successfully secure and patch embedded systems.
Otherwise, who knows what your refrigerator might do.