Over the past 18 months, I’ve been in a variety of situations where I had the opportunity to discuss the Internet of Things (IoT) with various industry professionals, developers and journalists. It intrigued me to realize that many of my viewpoints often differed from others discussing the topic in articles or event presentations.
With that in mind, I wanted to share three topics that I find are discussed less frequently. Regardless, these topics should be an important aspect of the conversations we need to be having on this rapidly growing subject.
1. Crowd funding and IoT Go Hand-in-Hand
For most people, IoT will be defined as crowd-funded products throughout the next few years. While the most successful products will surely be acquired by a behemoth, or find venture capital funding, or go private, their start will have come from the cutting-edge technology buyers among us.
For example, Samsung acquired the IoT hub company SmartThings this August for a reported $200 million, less than two years after it gather $1.2 million in crowdfunding. Not to be outdone, LIFX – a connected light-bulb company – raised $1.3 million before receiving $12 million of investment from Sequoia Capital.
Why does this matter?
Because the people initially developing these connected products likely have little-to-no experience in information security across mobile, embedded, cloud and web applications – all of which are likely core to their business.
This is not a shot at these two companies but rather a state of affairs when people are simply trying to get enough money to get their idea off the ground, let alone spending a chunk of their budget on security audits and security engineering staff.
Although big companies make security mistakes, the likelihood that two or three smart folks quickly pushing a connected product to the market will fumble security is all but guaranteed. LIFX, for instance, did unfortunately have some early security issues.
2. Technology Tedium and Human Needs
I’ve admittedly asked this question many times at events this year, but when was the last time you upgraded your home router’s firmware? How about your parents’ router?
For all but the very technically-inclined, the answer may be “never.” This is due to two primary reasons: nobody cares to do it and/or they don’t know how to do it.
Think five years into the future when your light bulbs, electrical outlets, switches, cameras, watches and children’s toys are connected devices. What is your honest thought about upgrading one to two dozen devices, maybe every week or bi-weekly, depending on update cycles?
For me, this sounds like a hellish level of tedium resulting in a waste of my time, effort and sanity.
Further, the means to upgrade firmware varies widely from device to device, which leaves users confused on how to do the process per IoT offering. This results in even technical folks having to keep track of processes on scale to ensure they aren’t missing out on security updates across their home- or office-of-things.
I, personally, am a big advocate of auto-upgrading firmware. While this adds some engineering overhead, it could dramatically reduce the future risks people will deal with when bugs are discovered across their many devices. If large organizations have a hard time with inventory, threat and vulnerability management, what makes us think consumers can do any better handling their technology if people still can’t seem to get their Windows machines upgraded?!
3. We’re Not Waiting for Massive Failure to Start Fixing
The last thought I want to leave you with is a bit more of a plug than unbiased insight, but the core message is still notable.
Earlier this year, Zach Lanier and I formed an initiative dubbed BuildItSecure.ly. The initiative has the broader goal of putting IoT development on a safer, more security-driven path by educating engineering teams through content and hacking the devices to provide direct security improvement.
While the underpinnings here are basically what already happen in the security research community, the means to accomplish these goals is different.
BuildItSecure.ly is focused on having vendors effectively opt-in to this initiative, providing their hardware to handpicked security researchers that we vet for competency and professionalism. We also only focus on IoT to give extra attention to this nascent and malleable world of technology.
This effort has thus far resulted in five vendors, including big names like Belkin and Dropcam, being part of leading the charge for IoT that considers security a first-class citizen rather than an after thought in the development cycle.
We’re just getting started in a lot of ways, but the relationships being built, the good will for the security community, and the number of devices now being developed more securely due to our efforts is already making a big impact.
There’s a lot of work to do, but we’re at least focused on giving IoT a fair shot at being the poster child of security and not the antithesis of it.
About the Author: Mark Stanislav (@markstanislav) is a Security Project Manager for Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, start-up, and corporate environments, primarily focused on Linux architecture, information security, and web application development.
Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.