Want good IoT security? It’s up to each and every one of us

Hyatt said it will provide updates at www.hyatt.com/protectingourcustomers.

So you are driving down the highway at cruising speed and whoa! suddenly you lose control of your vehicle and have no way to regain command. Sounds like something out of one of the Die Hard movies. But that is what exactly happened when two veteran security researchers hijacked a technology reporter’s telematics system in a Jeep Cherokee as detailed in the Wired news story Hackers Remotely Kill a Jeep on the Highway – With Me in It.

It’s not the first such scare for IoT. In fact, everything from signage to airplanes – in flight – has been breached. For many years now, pranksters have been hacking road signs. The Stuff You Should Know blog has a slideshow of 23 Great Hacked Road Signs. About five years ago security research Barnaby Jack showed at the Black Hat security conference how an ATM could be hacked and forced to dispense cash.

Earlier this year, a security researcher told the FBI that he managed to gain access into airline computer systems roughly 20 times and even controlled an aircraft during a flight.

At Def Con last year all sorts of IoT devices were demonstrated to be vulnerable to varying degrees: webcams, HVAC systems, medical devices, networked home devices – virtually anything Internet connected. A scary but unconfirmed story that hackers gained access to a German Patriot missile battery. That’s enough to send chills down anyone’s spine. Late last year, attackers compromised the mill system within a German steel works. They managed to gain access and shut down a blast furnace.

While many view the security of IoT as largely a consumer problem, it’s also a serious enterprise problem. The research firm IDC anticipates roughly 90 percent of networks, within the next TWO years, will suffer an IoT-related breach.

Just this sampling of the state of IoT security is frightening. And even more so when one considers the horrendous security and resiliency of software and data security during the past 20 years, and project that experience of worms, viruses, hackers, and data breaches onto the physical world ranging from our toasters to our cars and airplanes.

So what can we do about it? There’s only one thing we can do (aside from going off-grid): and that is to demand vendors create IoT devices, APIs, and software that are secure and resilient. We can’t afford to accept anything else. While Congress is pushing a point solution in the Security and Privacy in Your Car Act, regulatory solutions  – whether led by government or by private industry – are often woefully inadequate. Just look at the results from PCI DSS for the payment card industry, or the security results after so many years of FISMA.

So what can be done? What should have been done when it came to consumer and enterprise software: demand it be built secure and use the power of the purse and the market to effect the change we desire. Press manufacturers and software makers hard about the security of their devices. This goes for enterprises as well as consumers – and when vendors fail to live up to their security promises, dump them and buy from a competitor. It’s the best lever we have to get the resilient and secure systems we deserve.

Trackbacks

  1. […] Want good IoT security? It’s up to each and every one of us […]

    Like

  2. […] Want good IoT security? It’s up to each and every one of us […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: