Will it take a catastrophe before we lock down the internet of things?

5 Comments

As more devices become connected to the internet, safety and security considerations often seem like an afterthought — which could be fatal in the case of connected cars or industrial controllers. “If it’s got software, it’s vulnerable, and if it’s connected, it’s exposed,” said Joshua Corman, founder of I Am The Cavalry, at Gigaom’s Structure Connect conference in San Francisco on Wednesday and was joined onstage by Hugo Fiennes, CEO of Electric Imp.

It’s not just your data that’s at risk if your car or your lock has an IP address, it’s also your physical security. Because our dependence on connected technology is growing faster than our ability to secure it, the internet of things has a problem that doesn’t have a clear solution, whether it’s public standards, the free market or even government regulations. Consumers don’t have a clear authority to turn to.

What wi-fi chip maker Electric Imp is counting on is that a secure toolkit will be attractive to connected device makers that don’t necessarily have the resources to do security themselves. “Companies who build products can make uses of the security work we’ve done,” said Electric Imp’s Fiennes.  “Because you can’t add security to an insecure system.”

But security isn’t an end-point, it’s a process, and part of having a system that isn’t easy to attack is keeping it up to date. Connected devices need to get better at installing updates without user input. “People have too much stuff going on to make sure their lightbulbs are updated,” Fiennes said. “You can’t be asking did I leave the gas on and are the lightbulbs patched?”

Ultimately, securing devices on the internet of things may mean considering whether an object needs to be connected to the internet in the first place. “It’s like ‘everything’s better with ‘bacon’ — not everything is better with Bluetooth,” Corman said. “Just because you can put connectivity on something, doesn’t mean you should.”

One important question is whether it will take a disaster for meaningful changes to be made to current connected security practices. “Around the turn of the century, the Cuyahoga river caught on fire, and that’s why we have the Environmental Protection Agency,” Corman said. “I hope we don’t have a ‘cyber-Cuyahoga’ moment before we start doing something.”

Photo by Jakub Mosur

Structure Connect Ticker

5 Comments

Colin Robbins

I believe that solving the challenge is an economic issue, not a security issue. Security is the problem, but sadly economic pressures mean suppliers want to bring their latest and greatest offer to martket, and are incentivised to do so by consumers who buy the latest goodie. To date, there is no incentive to make the solution trustworthy, to make sure the security risks are minimsed, so the inevitable happens. Our challenge is how to alter the market forces so security becomes a valued feature of a product.

A B

Go become an Internet of Things blackhat hacker. That should incentivize people.

gondot

Reblogged this on gbytech and commented:
Reminds me of drones which almost collided with a plane. Guess when we start something we should weigh the safety concerns first. If we don’t do this we could have a problem like the TAKATA debacle with faulty airbags. Technology yes but with precautions of course

Anonymous

Security is largely an impossibility due to poor implementations or holes that weren’t found. See: every internet security feature ever up to this point

Constantly changing to try to patch other issues. Often have critical issues, even if we don’t find them for 10-15 years.

POODLE, BEAST, Heartbleed to name three popular ones.

Comments are closed.