Content, Security Program Controls/Technologies, IoT

IoT Security Pros: You Can’t Beat the Hackers You Can Only Contain Them

Chris Valasek
Chris Valasek
Charlie Miller

Internet of Things (IoT) security bulls might not like this one: You can’t count on beating the hackers -- there’s too many unsecured devices to bolt down -- but you may be able to contain them. How so? By concentrating on the big stuff, according to security experts Charlie Miller and Chris Valasek, in remarks delivered at the Black Duck Software’s Flight 2017 conference in Boston.

Both Miller and Valasek are security specialists at Cruise Automation, a San Francisco-based, self-driving car startup owned by General Motors. “The problem is great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” Miller said (via Threatpost).

They make an interesting point -- not forsaking good to try for great. Can IoT security platforms, standards or device makers baking in security sufficiently protect the 30 billion Internet-facing “things” expected to populate networks in the next few years? Unlikely. Certainly, cost is a defining factor.

“Unlike a car salesman upselling you to spend more on airbags, a software company can’t upsell you on a security package,” Miller said, as Threatpost reported. “A developer can’t tell a potential customer, if you want a security package with your software, that will cost you $1,000 more.”

Indeed, the Federal Trade Commission recently made the same point in a set of IoT security guidelines for consumers: Device manufacturers “must balance the benefits of safeguarding against various threats with the considerable costs of developing, testing, and deploying software updates,” the agency said.

But wait. Is cost the problem, or is it more about millions of devices shipped without any baseline security to speak of -- default passwords easily guessed by hackers, no policy for software patches or updates and other standard fare. In the big security picture, do smaller devices, no matter how cool, matter much?

“If you’re a company worried about being attacked, it’s not internet-enabled lightbulbs that you have to worry about. It wasn’t an Equifax toaster that lead to 145 million people who got their personal data leaked,” Valasek said.

Here's Miller's take: “It’s fun to talk about hacking IoT devices. But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks. Don’t be surprised if the IoT toothbrushes of the world get hacked. Focus on the important stuff.”

Still, a recent study showed that IoT devices are being attacked as a door inside to breach companies’ security. The survey polled some 400 IT executives, 48 percent of whom said their organizations had been hit with an IoT-related security attack. Many outfits are not allocating enough funding to stop IoT breaches, the study showed.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.