Frequently asked questions
8 Dec 2016

TL;DR: what is going wrong?

There is tremendous pressure for IoT devices to be cheap to manufacture. Cheap means that hardware capabilities are the bare minimum, firmware and security design quality suffer, and there will be no support after the device is sold. As a result, at release time, most devices have obvious vulnerabilities. The older a design gets, the more we learn about breaking it and the weaker the device gets. As there is no support, none of these vulnerabilities will be resolved.

TL;DR: how do we fix it?

As a designer, the OWASP IoT recommendations are a good place to start. Produce a threat model and a risk analysis.

Globally, the device side can’t be fixed. Most new devices will be full of vulnerabilities forever. People need to know that this is the case and trust devices accordingly. Our networks need to be resilient against potentially malicious devices.

Why is IoT special?

It isn’t. The vast majority of software, systems and cloud security applies to IoT with no modification.

IoT varies because:

Why don’t we just put regulations on device manufacturers?

Because all device manufacturing is done in China. How does the U.S. or EU mandate something as vague as ‘secure device’ in China?

Besides, as a consumer, would you pay another $40 for your Internet router? Or an ongoing fee to keep the firmware up-to-date? Of course not! You love cheap stuff and unless you’re in the narrow subset of the population that actually knows that infosec is a thing, you’re going to buy the cheapest device that does what you want.

Who are you and why should I listen to you?

I’ve been shipping embedded systems for over a decade. Most of them connected to the Internet. Some of them have been implanted into people’s bodies. Some of them have been hacked. I’ve also spent a lot of time attacking them, both as a penetration tester and as part of my own test procedures.


comments powered by Disqus