Designers and developers of the Internet of things need to build security into their products from the beginning, not bolt it on from the outside afterwards, according to the Online Trust Alliance, the nonprofit umbrella group which works to protect internet users’ security, privacy and identity.
Noting that concerns about security and privacy remain one of the largest barriers to consumer adoption of IoT technologies, Craig Spiezle, the alliance’s executive director and president said these principles “cannot be bolted on mid-flight, and must be designed in from the onset. Creating a culture of security, privacy and sustainability with transparency will yield long-term benefits to industry.”
The principle of building in security — one of a handful in the IoT “vision document” the OTA published Tuesday — is not a novel one.
Indeed there were numerous calls for a similar approach at last week’s AppSecUSA conference, where one speaker compared the IoT to a “leper colony” ready to infect the rest of the internet with its fatal disease.
But the IoT “industry is not looking at the long-term support issues associated with IoT; nor the privacy issues as it pertains to devices which may outlive a single owner,” said Spiezle.
“If individuals and businesses cannot trust that their personal and proprietary data will be kept secure and private, large-scale adoption of IoT will not be realized, and calls for regulatory legislation will increase,” the document states. It adds that these principles must apply throughout the whole IoT eco-system and across the entire life-cycle of devices.
For example, if a “smart home” is sold to new buyers, both the home’s original owners and its new owners need to be assured that their data is private and secure. And smart devices, their communications and the cloud that stores their data must all be secure and patchable.
Absent that, Spiezle told CyberScoop via email, IoT devices could be “weaponized” by hackers taking advantage of poor security practices like hard-coded default passwords — and used in massive Distributed Denial of Service attacks.
“This is no longer a concept, it is happening today and the risk is amplified with every new device connect to a home, office or agencies network,” he said.
The document argues that have a responsibility, too — they must not keep using devices past their end of life.
It takes as an example Windows XP, noting that despite a decade’s free support after the end-of-life had been announced, “today millions of these devices remain in use and at risk.”
“Not unlike driving a Model T automobile on a highway today, such devices limited by their hardware architecture can no longer be secure on today’s digital highway,” the vision document states.
Even if such products “ship secure, no degree of patching can address design limitations against unforeseen threats decades later.”
But in reality, IoT products are rarely secure, even when they ship, let alone years later, white-hat hacker Joshua Corman told the AppSecUSA conference last week.
He called IoT the “leper colony … of software development.”
“You have products shipping with vulnerabilities that have been known about and patched for 10 years, and they’re still in the software” unpatched, he said.
“Would you be able to sell a car with a defective airbag — known for ten years to be defective?” he asked, comparing current software developers to the automobile industry before the publication of Ralph Nader’s “Unsafe at Any Speed.”
“The automobile industry didn’t think about safety,” he said.
“Within a few years there going to be what? — pick your favorite prediction — 15, 20, 25 billion of these [IoT devices] connected to the web … and we know the [software security] hygiene on most of them is going to to be horrible. And we know up to half of them will be unpatchable.”
That means even if the programs are secure when shipped, should any vulnerabilities or bugs be discovered later, there is no way of updating the software to patch them.
OTA aims to get industry to see the benefits of security as one of the underpinnings of successful innovation. The nonprofit is unveiling its IoT document this week at the Consumer Electronics Association’s Technology and Standards Forum; the National Telecommunication and Information Administration’s multi-stakeholder IoT workshop in Austin, Texas; and at the Smart Card Alliance, Security of Things Conference in Chicago.
“Developers, engineers, marketers and sales must work together in order to drive innovation and economic growth, increase the resiliency of the Internet and keep regulation at bay when it comes to IoT devices,” said Spiezle.
But Corman argues that, unless there’s a radical shift in the way IoT and other software is brought to market, regulation is inevitable — because it will follow a cyberattack that leaves dozens or hundreds dead.
“I would argue we haven’t had a high consequence [cybersecurity] failure yet,” he said.
But the IoT was where “bits and bytes meet flesh and blood,” he noted.