Blog Post

If you think our security sitch is bad now, wait till you get a load of the internet of things

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

There seems to be news of a new massive security breach every day — the latest being the eBay(s ebay) mess. The good news is that because of these snafus, people are starting to get that bad browsing behavior and non-updated software on their smartphones, tablets and PCs can lead to problems.

But, there’s a rash of shiny new devices connecting to the internet that are also vulnerable to a remote attack and that requires a new  way to think about security — and this will be a topic at the upcoming Structure show in San Francisco June 18-19.  And then there is an array of less glamorous connected things that predate the IoT hype cycle, and that most people don’t even think about as being vulnerable. Your printer, for example, could be a disaster waiting to happen, said Patrick Gilmore, CTO of Boston-based data center provider Markley Group (and former network architect at Akamai(s akam).)

At MIT’s CIO Symposium on Wednesday, Gilmore asked a roomful of IT professionals: “How many of you would be upset if every document you ever printed was read by someone you didn’t intend to see it?” It’s safe to say 100 percent of that room would be unhappy about that.

When people build printer cards, which have IP addresses, “they’re not thinking bout stack overflow or checking to make sure that the person sending the print command is the person that should be sending that command. These devices need to be secured but are not even considered in most CIOs’ security plans,” Gilmore said.

Broad connectivity, more data = higher stakes

So more data is getting generated and collected by more devices. And to complicate matters, the lines between hacktivists, state-sponsored hackers and industrial spies are disappearing. Consider a scenario where your top competitor could, with the right help, read every document your CEO or CFO or general counsel ever printed. Scary, no?

Joseph Hadzima, senior lecturer with the Martin Trust Center for MIT Entrepreneurship, who moderated a security and privacy panel, painted a scary world where baby monitors get hacked and cars are remotely commandeered. The stakes have certainly changed but the tools used till now to secure our stuff have been overmatched for some time. What does it say when Symantec(s symc), an anti-virus company, admits that anti-virus is dead?

Home appliances, connected home, internet of thingsMark Morrison, SVP and Chief Information Security Office for State Street agreed with Gilmore that two-factor authentication is table stakes now. But companies need to go further.

Morris wants to just nuke passwords altogether. “They’re a complete waste of time,” he said. For one thing, they need to be 14 to 16 characters long to be even marginally useful but at that point people end up writing them down on stickies which obviates the whole purpose.

Enterprises need to proactively monitor threats and make sure their infrastructure evolves accordingly. The message out of MIT was that no one can to stop every attack, but companies can make it less worthwhile, harder and more expensive for bad guys to attempt attacks in the first place. And they need to be acutely aware that a layered security solution has to cover non-traditional gizmos that are connected to the network.

Yes, the printer too.


11 Responses to “If you think our security sitch is bad now, wait till you get a load of the internet of things”

  1. Ralph Haygood

    Most of what I hear about under the “Internet of things” rubric strikes me as solutions to imaginary problems. I’m far from a technophobe – I develop software for a living, and I gladly embrace new and better tools for doing so – but I really don’t feel the slightest need for, say, an Internet-connected light bulb. On top of that, considering the security problems we have with the Internet of conventional computing devices, an Internet of household appliances and the like is indeed a security nightmare. No thanks.

    • brown_te

      Well said, Ralph. I think IOT is still firmly in the Jurassic Park category (the gadget makers are so preoccupied with whether or not they could that they didn’t stop to think if they should). Where is the killer app, here?

  2. JenniferDawn

    Thank you so much for writing this article! I have been saying this for a while, but the IoT ‘vendors’ are suffering from the ‘Emperor has No Clothes’ syndrome, and have not thought out the necessary security implications.

    I think it will take a few dozen DEATHS for anyone to really this threat seriously, however.
    People just blindly trust these new devices, and won’t take it seriously, until people get physically injured.

    Quite honestly, I wish I had a law firm, so that I could start preparing the inevitable class action personal-injury lawsuits – it will be a veritable gold mine!

  3. It is hard to keep up with all the new threats. Companies have to assume a lot of the responsibility for security if they want to do business this way. They have economies of size and economies of low staffing numbers.