Without Security, IOT is Just a Smart House of Cards

October 14, 2014

Without security, the vision of Internet of Things cannot come true.

I was told in a meeting recently that security is a defensive investment – just like insurance. You don’t make money out of security. This is probably why as developers, we get there last when we build something.

The problem is, when everything gets connected as in IOT, and the devices are far from the eye and numerous – we can no longer ignore security and have to give it top priority.

The latest security flaw making waves last month was Shellshock, affecting Unix based systems (=Linux=almost everything) running bash shell command. You can find more information on Tom’s Guide about Shellshock.

Geek & Poke puts it nicely as well:

Shellshock

Simple. Concise. Gets the point through.

What are going to be the foundation of a good secure architecture? I don’t know.

What I do know, is that the basics of it all must be the ability to upgrade the device’s firmware remotely and automatically at all times. Just like most modern browsers do today.

We should not and cannot rely on users to do it these days. My wife never upgrades her apps on the phone. I do it for her once every weeks or so, just to keep her up to date. I used to care in the past, but Chrome taught me to expect the latest version to be there at all times.

For IOT to work, we need chipset manufacturers and device manufacturers to get their act together and make sure their “things” are upgradable over the network automatically. We should also demand that they maintain and update their “things” from security risks years after those “things” got acquired. Otherwise, we will never be able to get to an IOT utopia. What we will be left with will not be a smart home, but rather a smart house of cards.


You may also like

Comment​

Your email address will not be published. Required fields are marked

  1. You talk about automatic updates from the manufacturers like it is going to ever happen or if they are going to do it for devices sold for just a few dollars.

    Maybe I’m pessimistic, but I think It’s going to be a lot worse then what you stated. The embedded guys are not going to change their ways, unless the law of the land says they have to or reputation damage is to great. Those are both governed by public opinion.

    But there will be an other model, also not really all that great. You will have to pay for it like a ‘cloud service’ or a phone which keeps the device not only updated. But when you stop paying the device stops working: http://www.theatlantic.com/technology/archive/2014/09/when-everything-works-like-your-cell-phone/379820/?single_page=true

    You might get the device for ‘free’ if you get a contract for an initial period that is long enough.

    (side note: also I know Bash Shell Shock is just an example, but in real life, you wouldn’t actually see a Bash-shell on an embedded device. Most of them use BusyBox)

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}