“We’re Stuffed” – Is IoT Security Out of Control?
Penetration tester Ken Munro believes IoT manufacturers are exploiting consumers’ lack of security awareness.
This is a huge problem, particularly in the automotive industry. Most of the auto original equipment manufacturers (OEMs) have really got on top of security and have great security teams that are doing the right things. But, the problem they have is this lag – from clean sheet to the delivery of a new vehicle is going to be three years.
So how do you deal with that existing base of vehicles out there? I think all we can do is keep applying pressure – whether it’s pressure from regulators or security researchers. Sadly there’s not a great deal we can do with the existing products. But I would love to see the ‘right to return’ because that would be a huge incentive for companies. So if the product you bought is proven insecure I would love to see consumers being able to return it.
So how can we deal with disposable IoT for industries such as agriculture?
At the moment, we’re stuffed, frankly. There’s so much poor security and so much IoT already that all we can do is drive forward. I think trying to retrospectively apply security is going to be very, very difficult. All we can do is hopefully shine a light on it and encourage people not to use bad ones.
A lot of security research seems to be into the IoT end product. But how can we push this back further in the process and make the companies creating the chips and kits ensure security is part of their process from the beginning?
Many of the big chip vendors actually produce really good chip sets with lots of great security functionality, which is fantastic. Until recently, there’s been a bit of a price differential there. So we need to encourage the device manufacturers to understand why it’s worth paying a few more cents for a better chip with lots of functionality.
However, for most IoT manufacturers, the key is not to try and do it all yourself. Outsource the platform. Outsource the development to people who understand. But outsourcing to the wrong people is what’s causing many of the security problems.
To what extent do you think the younger generation is being brought up to think they need IoT devices just for the sake of it? Do you think we need to encourage children to grow up evaluating whether or not they actually need them?
There is so much consumer IoT. How much of it do we actually need? How much do you need to boil your kettle remotely? My kettle doesn’t take very long to boil so why do I need to boil it remotely? Why do I need to call it when I’m on the train home? It’s going to take me 30 seconds when I get there. I ask everyone to consider what is the personal business case for buying these ‘smart’ things. Do you need a smart toilet? Do we need these things?
I think there are certain cases where there are real, clear benefits. For example, helping the elderly to live assisted by themselves longer. I think there are some great ideas there. In healthcare telematics there’s so much we can learn about a population’s health and how we can improve it. There are lots of different benefits but I think we need to stop getting too excited about having a smart hot tub. Do we need it?
I think if we are, as a society, going to decide to have smart everything then we have to accept that there needs to be a cost of training people to understand how to do security themselves. Right now, consumers don’t have a clue and many IoT manufacturers are exploiting that lack of awareness to sell them cheap, insecure products.
- Ken Munro, a security entrepreneur and industry maverick that has worked in infosec for more than 15 years, was speaking to DIGIT at the 31st annual FIRST conference in Edinburgh.