The Internet of Things (IoT) is a buzzword that many use to describe a not-so-distant reality in which devices and machines talk to one another. To some, however, the potential of IoT extends well beyond the mere notion of a “smart,” interconnected world. Included in this group of observers is Jeremy Rifkin, an author, political advisor and social activist who recently keynoted the CeBit conference in Hannover, Germany. According to Rifkin, the Internet of Things will succeed in creating three Internets—communications, energy and transport/logistics—once it has reached its maturity. These Internets will rely on upwards of hundreds of trillions of sensors that monitor anything from crop growth to traffic patterns, thereby reshaping the world’s economies into transparent entities that everyone can inspect and monitor. “For the first time in history, everyone is going to have a transparent picture of the economic life in society,” Rifkin said. “We are leveling the playing field. If this network stays open, everyone is going to know what everyone knows. Everyone is going to know what’s going on across the value chain.” He goes on to explain that via the widespread adoption of digitalization, the Internet of Things will drive down business costs, streamline economic activity and ultimately, favor societies in which users become empowered consumers. Acknowledging these benefits, we are beginning to see a push in technologies that help developers invent and quickly release new IoT-related products. One such solution is Onion Omega, a cloud platform that benefits software developers to the extent that they can design Internet of Things applications without having to build their own hardware from the ground up. The dev board, which has its own Kickstarter campaign, comes preloaded with Linux and WiFi. It also accommodates a number of different expansion modules, including relay, OLED and webcam. However, the enthusiasm that characterizes Onion Omega, not to mention the comments of Rifkin and other advocates, misses an important point: IoT products are being released to consumers without adequate concern for security. This is one of the findings of a recent study conducted by Veracode, a Massachusetts-based application security company. Researchers purchased six consumer-grade Internet of Things products to test in their labs earlier this year. At the conclusion of the study, they had discovered “significant” security vulnerabilities in most of the products tested.
“Product manufacturers weren’t focused enough on security and privacy as a design priority, putting consumers at risk for an attack or physical intrusion,” the report states.
Veracode’s results mimic those of Hewlett-Packard’s 2014 Internet of Things Research Study, in which its Fortify application security unit found 250 unique security vulnerabilities after testing the 10 most popular Internet of Things products at that time. This made for an average of 25 vulnerabilities in each product, which included “smart” products like webcams, sprinkler systems, and home alarms. Most of the IoT products analyzed by Veracode and HP run on stripped-down versions of Linux and are, therefore, susceptible to the same security vulnerabilities that might be found on a computer. This begs the question: Why is so little effort being made to secure Internet of Things applications? In most cases, cost is a significant factor. As Mark Stanislav notes, how many IoT products are crowdsourced by people who may not have experience in security themselves and who may lack the funds to adequately test their products for security vulnerabilities? This observation ultimately helps to explain the reasoning behind platforms, such as Onion Omega, which uses customizable hardware in an effort to make the development of IoT applications less expensive. At the same time, however, business risk is overriding security risk in the minds of many executives. According to a recent survey conducted by Atomik Research on behalf of Tripwire, 63 percent of C-level executives expect business efficiencies and productivity to force them to adopt IoT devices regardless of the security risks, whereas only 27 percent of them are “very concerned” about the risks. Most of these executives are clearly more concerned about the projections for the expanding Internet of Things market, with 75 billion “things” and $263 billion in IoT-related services expected in 2020, than they are about these products' security. Security is currently not a major concern when it comes to the Internet of Things, but it should be. Katie Moussouris, the Chief Policy Officer for HackerOne, wrote an article in which she reminds us how the “Age of the Great Worms” in the early 2000s forced software vendors to learn the value of security the hard way. With the Internet of Things not far on the horizon, it is the collective responsibility of security professionals and developers to recall these lessons and apply them to the Internet of Things. We must harden IoT products via a Software Development Life Cycle. Otherwise, we risk repeating our mistakes of the early 2000s, only this time with many, many more connected devices.
