Wednesday, August 12, 2015

Security and IoT: work to be done

A few weeks ago I was lucky enough to moderate a lively discussion with Chris Eng of Veracode and Josh Corman of Sonatype. I have done a bunch of these things and this one organized by Dark Reading, "The Internet of Things, the Software Supply Chain and Cybersecurity" was one of the most timely, informative, and memorable. Chris ("security faults are product defects!)") and Josh ("I am the cavalry") are super passionate about IoT security - you should definitely spend an hour to check it out.

IoT security has gone mainstream in the press! This story of a hijacked Corvette being just one of many recent examples.  We know that smart devices are seldom built with security in mind, and we trust the controllers in the cloud are secure, but the truth is pretty scary.

The percentage of open source code in IoT devices is staggering. You'll have to watch the video or read the whitepapers on Veracode or Sonatype's web sites for the numbers.

  1. The first problem is that the owners of the devices don't know what vulnerabilities they are inheriting in the open source code and are building into their products. There are some interesting legislative ideas being chatted up, but really it is up to us security experts to help educate and offer solutions.
  2. The second problem is that these devices seldom have a patch mechanism to fix security defects. So once an exploit is discovered, like being able to remote control a car, there is no pragmatic or efficient process for correcting the fault. A secure patch mechanism has to be mandatory!
  3. The third problem is that the security of the cloud applications that control the IoT devices are usually put into production without a rigorous review by experienced security researchers. This is the cyber-jackpot for IoT - hacking a device is just one thing, but hacking the controller application in the cloud gives unauthorized access to all the devices. Yikes!


IoT security is a problem that extends all down the supply chain, and has the potential to affect everyone's daily life. It is a big deal and time for the security industry to treat it as a strategic initiative.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)