Ted Harrington, partner at Independent Security Evaluators and organizer of the annual DEFCON hacker conference, is not at all optimistic about a secure IoT. As Harrington tells Inverse, IoT security “will get worse, potentially a lot worse, before it gets better.”
According to Harrington, new technology typically follows three predictable steps: Innovation, (similar) products that hit the marketplace without proper security, and pressure from the community to tighten up security.
“We are at the very, very, very front edge of that second phase,” Harrington opined. “We have a long way to go before we get to the third phase.”
To be sure, he says, the current trust model for the IoT is broken.
“Meaning, connected devices inherently trust each other, when in fact they should inherently distrust each other,” he explained. “Don’t get lost in the hype with how exciting IoT is without balancing it with the risk that comes along with IoT.”
Paul Kocher, the Chief Scientist of Rambus’ Cryptography Research Division, expressed similar sentiments during a recent panel about securing the Internet of Things (IoT).
“Today we have a plethora of devices with multiple functions and features,” he explained. “This complexity means bugs are being created far faster than they are being fixed. In addition, more devices means an increased number of targets, while more information [stored or collected on IoT devices or endpoints] offers greater rewards to hackers.”
According to Kocher, security is not always something people are willing to pay for. Nevertheless, the progression of Moore’s Law is helping to reduce costs from dollars to pennies. In addition, says the chief scientist, the Federal Trade Commission (FTC) has increased its scrutiny of consumer-related hacks, while a more stringent level of security is required for certain government applications and equipment.
“Ultimately, IoT security will enter a stage of maturity and responsibility,” Kocher opined. “In the meantime, we are experiencing growing pains, much like the aviation and pharmaceutical industries did before an increase in both collaboration and regulation. This approach has to change at some point, but the question is how bad does it have to get before people really care.”
Kocher goes on to state that what is needed now is to avoid situations where vulnerable products are deployed in the field for 10-15 years or more – at which point they may no longer be supported by belated software security patches. Indeed, as Kocher noted earlier, numerous companies are still routinely “checking the security box” to expedite the process of launching a new product.
“They want the least intrusive, least comprehensive evaluation possible. And then there are companies that have been hacked that want to understand their risk and mitigate it,” he added. “If you get check boxes without teeth behind the consequences, it doesn’t help. If you can get liability and skin in the game for companies that control the risk, it would be transformative.”