Read Time: 5 Minutes
Recently, I participated in the Cyber3 Conference in Okinawa, Japan. The event was organized by the government of Japan and the World Economic Forum. I was part of a panel that discussed cyber security implications of the ever-increasing connectivity of devices, “things” and “everything”. The following blog post is based on the themes I brought up during the panel.
The Internet of Things is at least 20 years behind the established software industry in its cyber security awareness.
Remember what Microsoft was like before their Trustworthy Computing initiative. No automatic updates, no firewall, features and legacy support walked over security requirements, loose control over what 3rd party developers were allowed to do over the OS.
Microsoft is a prime example of the positive effects achieved when a vendor starts taking security seriously. Windows 95 was a disaster, but luckily the Internet was a much friendlier place at that time. Windows 10 is not only a remarkably secure operating system, but over the years Microsoft has also made a serious effort to get rid of the old legacy code by deprecating and dropping off features that would not be wise to use anymore. From the security point of view, the Microsoft of 2015 is a completely different company than in 1995. Even if Windows XP was ever fit for the Internet of 2002, it certainly isn’t any more. Who do you think is the first one to tell you this? Microsoft!
For some reason, one of the most popular IoT platforms, Linux – often in the form of Android – is currently exhibiting a similar trait: security fixes – even though they usually are produced – do not reach the end users because the maintainers of various distributions (a type of a 3rd party) do not see security updates as a critical priority.
As a result, the Internet is being filled with unpatched and increasingly unsecure consumer devices, IoT appliances and – in growing numbers – Industrial IoT applications.
Just as Windows 95 was not fit for the Internet, I feel that IoT in general is not fit for the Internet. Given the growth volumes of IoT devices, I am afraid it may soon turn the other way around: the Internet is not fit for the threat posed by IoT.
I urge IoT manufacturers to learn from the lessons of the software industry and start taking care of vulnerability management. There are two ISO standards on vendor vulnerability handling that I encourage companies to familiarize themselves with. Please note that the standards are behind a paywall: ISO/IEC 29147:2014, ISO/IEC 30111:2013.
Similarly, I urge manufacturers to not only accept but also cherish the fact that end users, researchers, and governments will look into the security of their products. Be prepared to receive vulnerability reports that you need to handle in public. Get involved in Bug Bounty programs, create EULA exemptions to accommodate security research, and tune your development process to respond to critical security vulnerabilities in an efficient manner. Be aware that there are hosted Bug Bounty programs available to assist you.
Sometimes the problems with IoT security can go beyond the obvious… Think about self-driving cars for example. They use algorithmic decision-making. But what if there are only bad options available? Should a car choose to drive over a lone pedestrian to avoid hitting into a crowd? What if the lone pedestrian is a child and the crowd consists of elderly persons? What if it turns out that the accident could have been avoided if the other vehicles would have exchanged telemetry data but failed to do so? Or if the telemetry data was unavailable due to problems in the local cellular network or cloud issues? One can continue this line of thought to ridiculous lengths.
The other day, I had a delightful discussion with a lawyer called Mark Deem who is a partner at Cooley, a UK-based law firm. Mr. Deem noted that there is no legal precedence to the liability of algorithmic decision-making. The most recent legal construct dates all the way back to ancient Roman law. During Roman times, the damage caused by a slave was considered to be the responsibility of the owner.
Now, what is the modern equivalent to the slave master? The passenger of a self-driving car? The leasing or financing corporation that actually owns the car? The reseller or car dealership? The car manufacturer that is keen to keep the software copyright to itself? The subcontractor that actually wrote the code? The regulator that issued (or didn’t issue) guidance?
Unless we witness a change in the mindset regarding security and how software is developed and maintained, we are going to see a big mess.
F-Secure will announce a new security solution for securing IoT devices in homes and small office environments. We feel this is the way to go – it is an absolute necessity that IoT devices can expect that they are operating in a relatively secure environment. Which is ironic only because most devices are just plugged into the Internet without any kind of external protection.
See what Charlie Miller and Chris Valasek found out with Chrysler’s uConnect. The Jeeps were directly connected to Sprint’s cellular network! Once it dawned on Chrysler that vehicles with uConnect accepted inbound connections, the mobile operator rushed to apply traffic filter protection to protect the vulnerable cars.
It is about time to adopt a similar holistic approach to securing the IoT. The security must come from outer layers in situations where the device itself is unable to defend itself.
Currently, the IoT is seen as a way to bring network connectivity to physical devices. There is a need to move on from that premise and to realize that the aim is to transform the business model from selling devices into providing billable services. Once one understands that the service is the source of revenue and the device is merely reduced to a vehicle through which the service is provided, one can begin to understand the value of protecting those devices.
They are not “just” devices that the customer has taken home, they are an integral part of the value chain.
Networking is easy. Understanding its potential and implications is difficult. This is not just a technology exercise, but rather economical, societal and psychological. We need economists as badly as we need good engineers.