Lately, I just can’t get excited about Internet of Things (IoT) security.
Heresy, you say? It seems like IoT will signal the end of days—all that technology developed by people who don’t know security kung fu will surely result in the apocalypse, right? I have visions of cloud-controlled lawnmowers roaming the streets of cities, ravenously cutting down pedestrians. I shudder at the implications of a world taken over by machines run amok.
OK, maybe that’s a tad extreme and cynical. But we’ve all seen technology industry hype overwhelm the occasional rational thought. Scary stories about things connected to the internet are good reminders to everyone that we’ve seen this movie before, and thrived, let alone survived. So how do you separate the fact from fiction? Is IoT the next great radiation of attack surface, or just another buzzword we’ll forget in 18 months?
Here are some thoughts that have stayed with me since attending my first IoT talk way back in 2014.
We are apparently now so bereft of buzzwords that “things” is the best we can do. Something that encompasses everything (from cars and wristwatches to platforms and ecosystems) is in practice likely to be relevant to nothing.
Let me be clear for all of you who think me a neo-Luddite by this point: IoT is cool. The notion that the “things” we use in everyday life can sense, process, and anticipate our desires is fantastic, future-defining stuff. So let’s not get security in the way of a good story, but rather draft along behind it and use the momentum to improve security overall. It is not unrealistic to think that things could actually be better—look at mobile security and its lower prevalence of malware than PCs, integrated multifactor authentication (e.g., biometrics and SMS), encryption that the government can’t break (easily), and the list goes on. It’s critical for security practitioners to bring these better security technologies and practices to IoT, while it’s still in development.
The Internet of Things is not just good for consumers, it’s good for security people too—especially software security people. Does anyone doubt that the world is going to have a lot more software written in the next hundred years to take care of all this automation? And not just for the IoT devices and networks themselves. Think about the data deluge foreshadowed by IoT. We are going to need even more software on the back end too (middleware, and servers, and data marts, oh my!).
We know how to do technology security, we just need to jump in and do IoT security. I’ve seen a lot of “special” technology come down the pike, and despite initial claims to the contrary, most of the existing approaches to securing earlier technologies are valid. Of course, deep understanding of any technology is key to making it as secure as possible, so injecting the fundamentals with a heavy dose of subject matter expertise is also key to success (e.g., hire good mobile pen testers to test your mobile apps). And, unquestionably, we should leverage what we’ve learned about TCP/IP security over the years since it is the “internet” part of IoT.
We aren’t going to solve this at the network layer.
One fundamental that probably won’t apply to IoT is the perimeter firewall. We’ve been trying to protect more and more dynamic endpoints with firewalls since the early days of networks, and look at the results. The Internet of Things, if anything, stands for devices openly communicating over the internet. While firewalls are valid controls in certain scenarios, my bet is that they just won’t be for the majority of IoT situations.
Where is a better place to establish security? you ask. The app layer.