Is "IoT Security" a Contradiction in Terms?

The Internet of Things (IoT) has become the internet of hacks. More and more devices are becoming internet-enabled. While this makes many aspects of our lives easier, it opens us up to a wide range of cybersecurity problems. From direct control of devices to lost of personal private data to actual control of the networks and computers in our homes and offices, the IoT is creating security risks at a faster rate than it’s fixing them.

Vendors are driven to get items to market fast in order to make money. Along the way, security is given short shrift — or, all-too-often, not even considered. After all, it’s only a light bulb... what’s the worst that could happen? The answer, of course, is a lot, and probably much more than you think.

Compounding this problem is the fact that consumers simply don’t like doing sysadmin work and maintenance on their hardware. It’s difficult enough to convince people to update their computers and mobile devices. Worse than that are things like keeping routers up-to-date. Way down everyone’s list of things to do is monitor all the smart devices in the house for CVEs (known vulnerabilities) in the national vulnerability database. Hardware manufacturers have to take this into account and put even more care into the software security for software embedded in Internet-enabled things.

Just for giggles (in a scary sort of way), here’s a brief partial list of a few devices that have known hacks available for them. If this doesn’t scare you, then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

• airbags
• Fitbit health bracelet
• Baby monitors
• VOIP phones
• road signs
• printers
• cctv cameras
• pacemakers
• kettles
• ATM
• USB
• USB-C port
• gas station tank gauges
• cars
• Blu-Ray discs
• light bulbs
• smartwatches
• CD players
• electricity smart meters
• thermostats
• SD cards
• mag stripe readers

Again, this list is only a (very) small subset of things that not only can be hacked but already have been hacked. The scary thing is that many of these aren’t just access to the device itself or even data from the device (which is already a huge privacy issue), but are gateways to attack other pieces of your network. Read more about the lightbulb and blu-ray hacks above.

Now the answer to all this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have.

IoT Hall of Shame

I recently created a list of known hacks for “things” – you can view it at the IoT Hall-of-Shame.

FedScoop Podcast

FedScoop's Kevin Greene and I recently chatted about challenges in securing the Internet of Things, and best practices for installing and deploying IoT devices.

IoT Security Resources

• Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development
• Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine
• Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)
• Embedded Security in Cars: Securing Current and Future Automotive IT Applications