Data security even more critical as Internet of Things multiplies, morphs

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When this cen­tu­ry com­menced, deliv­er­ing new tech­nol­o­gy as quick­ly as pos­si­ble, with scant con­cerns about qual­i­ty, became stan­dard prac­tice. Con­sumers snook­ered into buy­ing ver­sion 1.0 of any­thing were essen­tial­ly qual­i­ty-con­trol testers.

How soon we for­get. As we enter the age of the Inter­net of Things, com­pa­nies are push­ing out com­put­ing devices opti­mized to con­nect to the Web with lit­tle thought to secu­ri­ty implications.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

ESET secu­ri­ty researcher Cameron Camp has been pay­ing close atten­tion. He recent­ly sat down with Third­Cer­tain­ty to share his obser­va­tions (answers edit­ed for clar­i­ty and length).

3C: New devices with the capac­i­ty to link to the Inter­net seem to hit the mar­ket every day, and eager ear­ly adopters snatch them up. Why should they slow down?

Cameron Camp , ESET security researcher
Cameron Camp , ESET secu­ri­ty researcher

Camp: Com­pa­nies are going to live and die whether they get to mar­ket fast. I think secu­ri­ty tends to be an after­thought, and I’m con­cerned that some of the man­u­fac­tur­ers don’t real­ly have a sol­id way for­ward right now.

3C: That sounds omi­nous. What can and should we be doing?

Camp: We have to think about secu­ri­ty in new ways. We have to secure the per­son, the expe­ri­ence and the data in rest and in motion at all times, and that’s not going to be done with a PC atti­tude toward security.

We don’t under­stand how to pro­tect that data at all times and on a mul­ti­tude of plat­forms. If you’re work­ing on machines at home, and a lot of them are con­nect­ed, and you have a breach on one, you have a breach on lots of them. All hack­ers need is a toe­hold into your system.

3C: What if some­one doesn’t buy every new giz­mo that comes along? Are they safe?

Camp: Hack­ers are find­ing inter­est­ing and nov­el ways to break into all kinds of things. Routers are one of the first things that real­ly need secu­ri­ty to be dealt with, because every­one has one. If your router is one to three years old, it is a gate­way to get into every­thing you own.

3C: Why don’t routers get patched like PCs?

Camp: The man­u­fac­tur­er will be noti­fied that these things are wide open to attacks, and they don’t seem to want to do any­thing; they’re more inter­est­ed in the next prod­uct cycle. Peo­ple replace a router when it dies after five years. In the mean­time, if four of those years they’re vul­ner­a­ble, we have a big problem.

Man­u­fac­tur­ers have to keep the rev­enues up; they don’t do that by sup­port­ing their routers for­ev­er, espe­cial­ly low-cost routers. In the Inter­net of Things, if you have many sen­sors around the house, and you raise the cost of those sen­sors by $1, it makes your sys­tem cost too much. Nobody’s going to buy it, and you’re going to be out of business.

3C: Every­one is wor­ried about their routers now; any­thing else con­sumers need to be con­cerned about?

Camp: The peo­ple who are good at break­ing into Inter­net of Things devices may not be good at exploit­ing them, but they are good at entry, and they’re going to sell that to the high­est bidder.

Many of these devices run a full Lin­ux oper­at­ing sys­tem; that means they are a serv­er. You can load things on them and exfil­trate data, because Lin­ux was always built to be net­worked; it was built to be in a serv­er environment.

3C: Is there some good news on the horizon?

Camp: I think there’s going to be a stan­dard­iza­tion around oper­at­ing sys­tem ecosys­tems. We’re going to see default oper­at­ing sys­tems used on the Inter­net of Things so a man­u­fac­tur­er can focus on their own sen­sor, their own tech­nol­o­gy, and just drop in a secure oper­at­ing sys­tem. Right now, there’s many dif­fer­ent per­mu­ta­tions. In five years, we’re not going to see that, we’re going to see just a few that every­one uses, so if there’s a secu­ri­ty issue, peo­ple will under­stand more how to patch them.

More on emerg­ing best practices
Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things