Kevin Mitnick recently told the Freescale Technology Forum that the Internet of Things (IoT) is “exploitable.”
“I don’t know any system out there that’s impenetrable,” the hacker turned security consultant emphasized during a conference symposium cited by DesignNews. “In our experience, when we are hired by clients to attack their systems, our success rate is 100%.”
More specifically, says Mitnick, the IoT is plagued by many of the same issues corporate computer networks face, including lack of encryption, authentication weaknesses and password resets.
“Those same vulnerabilities exist in the IoT,” he added. “If I want to get information from a device, all I have to do is go out and buy one and then extract the firmware.”
Bob O’Donnell, the Founder and Chief Analyst of Technalysis Research, expressed similar sentiments in an essay posted on ReCode.
“Whether we want to admit it or not, anything that gets connected to either a wired or wireless network has the potential to be — and probably at some point will be — hacked,” O’Donnell opined. “Whether it’s a security camera we install in our homes, a connected module inside our new cars, or an automated building HVAC (heating, ventilation, air conditioning) system within the buildings we work or visit, the threat is there.”
According to O’Donnell, most new IoT devices aren’t being brought to market with a robust security model in mind.
“Instead, the focus is on offering simple connectivity in order to give them new functionality, with easy access being a core part of this new capability,” he explained. “Combine this with all the well-intended efforts that have been introduced over the last several years to make networking easier, and you’ve got the recipe for a potential disaster.”
That is why David Bray, CIO of the US Federal Communications Commission (FCC), says companies must begin treating security breaches like infectious diseases by focusing on “signs, symptoms and demographics” to prevent a wider outbreak.
“By 2022, there will be more data on the planet than all human eyes will see in the course of a year,” Bray told the Cloud World Forum in a statement quoted by ITPro. “The future is going to surprise us. We need to start thinking about how we actually prepare for it now.”
Zainab Al-Shamma, a security marketing manager at Rambus, recommends manufacturers of IoT devices and platforms adopt a hardware-based security strategy – beginning at the SoC level itself.
“A hardware-centric approach will help ensure that SoCs powering the IoT remain secure during the manufacturing process. In addition, embedding the appropriate security IP core into an IoT device or platform will go a long way in helping companies design systems that remain secure throughout their respective lifecycles.”