The internet of (insecure) things

Commentators and analysts have been warning of inherent security flaws in internet-connected devices for years. But these warnings went unheeded as consumers sought low costs and brands rushed to deliver products quickly to a hungry market.

These devices were then deployed with their weak default passwords unchanged, leaving them open to anyone with an internet connection and the desire to do damage.

With a huge increase in the number of internet-connected devices, industry and governments are both waking up to the reality that much of what is already out there is unsecured and readily hackable.

The panel debated what should be done to make the devices more secure, with proposed solutions including certification, legislation, insurance, making manufacturers liable, and better end-user education.

Professor Norbert Pohlmann from the Westphalia University of Applied Sciences Gelsenkirchen, advocates a more strategic approach to the architecture of IoT, arguing that the frameworks already exist. “If IoT is bringing all this innovation, why don’t we start with a new IT architecture? A security kernel with separation and isolation technology combined with intelligent cryptographic security mechanisms (TPM). This technology is available right now.”

Most agree that certification and legislation are not flexible enough to protect against an agile threat landscape. “Certification and regulation will always lag behind technical innovation,” says Professor Isaac Ben-Israel from Tel Aviv University. “Technological progress doesn’t fit the timescales of bureaucracy and legislation.” Erik Laykin, Managing Director of Duff and Phelps, agrees: “Certification is static, and we live in a world that is highly agile. By the time the White House comes out with a new rule, it’s too late; it’s obsolete.”

Incentives were also discussed. Davi Ottenheimer, President of flyingpenguin, stressed that it’s important to understand the incentives behind implementing secure practices. He gave the example of drone deliveries dropping parcels in illegal locations and simply paying off fines each month because it’s still profitable to make deliveries that break the law.

Expecting the market to bear the cost of improved security is unrealistic, many contend. Founder of Red Branch Consulting Paul Rosenzweig says: “The market doesn’t price insecurity. If my Nest device gets hijacked and takes down your network, I don’t care at all. This is a perfect example of an externality that will never be built into the price of a product, and never will be, because nobody sees the benefit in it.”

A better approach would be to incentivize those manufacturers to improve security by making them liable for damage caused through vulnerabilities in software or hardware.

The question of attribution also arose. A thorny subject, which is close to many of the delegates’ hearts. “I cringe every time the attribution question comes up, because I automatically hear control over users, control over speech. Attribution and control, to me, go hand in hand. As a civil libertarian, I worry a great deal about that,” says Chris Calabrese, Vice President for Policy at the Center for Democracy & Technology, who then opened up the discussion by asking whether there are certain products and services where we should focus on attribution and others where we shouldn’t.

Finally, many agree that DDoS attacks are one of the less worrying attack types that IoT could lead to. Professor Isaac Ben-Israel says: “DDoS attacks get media coverage that’s disproportional to the amount of damage they do. There are 2 million DDoS attacks in Israel a day. You never hear about them because the success rate is so low and they’re relatively simple to defend against.”

Much more worrying, many agreed, would be if a hacker managed to immobilize your car. Chris Calabrese speculates that most people would pay significant ransoms to regain control of the second most expensive thing they owned. And Erik Laykin points out that such an attack would pale in comparison to what a hacker could do to a car that was already in motion.