When this century commenced, delivering new technology as quickly as possible, with scant concerns about quality, became standard practice. Consumers snookered into buying version 1.0 of anything were essentially quality-control testers.
How soon we forget. As we enter the age of the Internet of Things, companies are pushing out computing devices optimized to connect to the Web with little thought to security implications.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
ESET security researcher Cameron Camp has been paying close attention to data security. He recently sat down with ThirdCertainty to share his observations (answers edited for clarity and length):
3C: New devices with the capacity to link to the Internet seem to hit the market every day, and eager early adopters snatch them up. Why should they slow down?
Camp: Companies are going to live and die on whether they get to market fast. I think security tends to be an afterthought, and I’m concerned that some of the manufacturers don’t really have a solid way forward right now.
3C: That sounds ominous. What can and should we be doing?
Camp: We have to think about security in new ways. We have to secure the person, the experience and the data in rest and in motion at all times, and that’s not going to be done with a PC attitude toward security.
We don’t understand how to protect that data at all times and on a multitude of platforms. If you’re working on machines at home, and a lot of them are connected, and you have a breach on one, you have a breach on lots of them. All hackers need is a toehold into your system.
3C: What if someone doesn’t buy every new gizmo that comes along? Are they safe?
Camp: Hackers are finding interesting and novel ways to break into all kinds of things. Routers are one of the first things that really need security to be dealt with, because everyone has one. If your router is one to three years old, it is a gateway to get into everything you own.
3C: Why don’t routers get patched like PCs?
Camp: The manufacturer will be notified that these things are wide open to attacks, and they don’t seem to want to do anything; they’re more interested in the next product cycle. People replace a router when it dies after five years. In the meantime, if four of those years they’re vulnerable, we have a big problem.
Manufacturers have to keep the revenue up; they don’t do that by supporting their routers forever, especially low-cost routers. In the Internet of Things, if you have many sensors around the house, and you raise the cost of those sensors by $1, it makes your system cost too much. Nobody’s going to buy it, and you’re going to be out of business.
3C: Everyone is worried about their routers now; anything else consumers need to be concerned about?
Camp: The people who are good at breaking into Internet of Things devices may not be good at exploiting them, but they are good at entry, and they’re going to sell that to the highest bidder.
Many of these devices run a full Linux operating system; that means they are a server. You can load things on them and exfiltrate data, because Linux was always built to be networked; it was built to be in a server environment.
3C: Is there some good news on the horizon?
Camp: I think there’s going to be a standardization around operating system ecosystems. We’re going to see default operating systems used on the Internet of Things so a manufacturer can focus on their own sensor, their own technology, and just drop in a secure operating system. Right now, there’s many different permutations. In five years, we’re not going to see that, we’re going to see just a few that everyone uses, so if there’s a security issue, people will understand more how to patch them.