Anton Sabev – Principal System Security Architect – Intrinsic ID |
It’s no secret we live in a world of headlines. So when I came across an article under the headline “IoT is Insecure, ‘Get Over It!’ Say Researchers,” the controversy of that statement caught my attention – so I of course had to read the rest of the piece to see how it played out.
That provocative stance came from Charlie Miller and Chris Valasek, security architects with Cruise Automation, when they spoke at a recent technology conference. Cruise, a manufacturer of self-driving cars, was acquired in 2016 by General Motors, and in September announced what it called the first production design of a self-driving car that can be built at massive scale.
“We write code and we are not perfect,” was the first grenade, lobbed by Miller. “The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security.”
That statement gave me pause. I work for a company that helps some of the world’s top electronics companies provide security for millions of connected devices. So yeah, I think it IS possible to “solve security.”
Curiosity piqued, I continued to read. Several more assertions were advanced, some having to do with the cost of adding security, others with whether consumers of certain products would be willing to bear the cost of adding security. These are reasonable issues to raise. But other assertions centered around absolutes — you either have no security at all or you have what the piece calls “great security.” It suggests you should discern which applications require security versus which ones don’t.
On that point we would disagree. The conclusion should not be to give up where “great security” cannot be justified. Better to determine how to bring appropriate security to applications.
The speakers were clear in their advocacy for security related to health and safety. We obviously have no quarrel there. Nobody wants their pacemaker or insulin pump to be hacked.
But is that where the justification for security stops? No.
Miller continued: “It’s fun to talk about hacking IoT devices. But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks. Don’t be surprised if the IoT toothbrushes of the world get hacked. Focus on the important stuff.”
Having an insecure toothbrush, toaster, refrigerator, baby monitor, etc. might not seem bothersome. After all, if it’s breached the hacker still needs to get past security measures elsewhere on the network, such as the router. But routers — designed and represented as a means to connect a household’s devices to the Internet and provide protection — are considered by some to make an appealing entry point for hackers.
So tell me again how unimportant that toothbrush is.
Consider the simple case of locking a door. A traditional physical key would certainly lock it, but perhaps you want to use an electronic lock for sake of convenience, to avoid the possibility of theft or loss of the physical key, or because multiple people need to access that door and it’s impractical to generate and manage that many keys.
An electronic lock could open vulnerabilities – online hacking, side-channel attacks, etc. So how much to spend on securing its connectivity? What should be looked at is not only the cost of providing the security but also the actual asset that is being protected, and design a solution that will appropriately protect the asset and make it more costly to steal than what the asset is worth. That’s the level of investment that’s appropriate.
No risk to safety? No risk of theft? No problem? No.
If I were to say “thermostat” most people would think about the thing hanging on the wall in their living room, controlling the temperature in the house. And if I said “IoT-connected thermostat” they might think about products from Nest. Now if someone were to hack into the IoT-connected thermostat in my house, during the summer perhaps, they could modify it so that the reading is inaccurate, and as a result it costs me more to air condition my house than is really needed. We can argue as to how meaningful that cost is, but it is undeniably a cost.
But let’s extend that same example to a thermostat controlling the temperature in a meat warehouse, or a frozen goods facility, any commercial environment where temperature plays a role in maintaining product viability. Such a location could be compromised by adjusting the sensor data so that the temperature reading is inaccurate. And I could do it in such a way that it costs my competitor more money to keep his product at the correct temperature. Or I could adjust it so that he maintains a temperature inadequate to protect his product, and therefore he has greater spoilage. This might create opportunities for me in the market.
Is this a safety concern? No. Is it a business concern? Yes. So does security play a role? You betcha.
The successful manufacturers of products which require security will realize they actually need appropriate security to even have a business. When a product meeting a certain function or playing a critical role in a person’s life opens up the door for insecurity that didn’t exist in the non-connected world, it just gives pause as to whether such a product should exist in the market at all.
In the end, we need to be cautious about assessments that are black and white, I think particularly when it comes to security. A vast middle ground lies between the extremes of great security on one hand and offering no security at all on the other. It is possible to fine-tune security to be appropriate in terms of both cost and level of security, addressing products in that middle ground or the same products targeting different applications. Companies CAN design in the security that addresses the needs of the companies or governments that are their customers.
Anton Sabev is Principal System Security Architect at Intrinsic ID and has extensive experience in cryptography, computer security and embedded digital signal processing. Prior experience includes positions with LSI Logic, ST Microelectronics and Intel. He is also a licensed pilot and conducts pilot training.