The Internet of Things: An exploding security minefield

things are not improving in fact they are getting worse

Everybody from the Federal Trade Commission (FTC) to a unanimous crowd of security experts has been issuing increasingly insistent warnings that security is not being taken seriously in the explosive development of the Internet of Things (IoT).

But things are not improving in fact they are getting worse, according to Mark Stanislav and Zach Lanier, security evangelist and senior security researcher respectively, at Duo Security.

Speaking at SOURCE Boston in a presentation titled "The Internet of Things: We've Got to Chat", the two said this is in large measure because of what would otherwise be a good thing the democratization of the field. "There are a few hundred IoT-related companies, most of which you've never heard of," Stanislav said.

That means development of the IoT is, "not just for larger companies," Lanier said. "Anyone can make a thing and get $80,000 overnight to do it," from crowd-funding sources. "But the problem is that entrepreneurs are not security minded people. They have no experience with it and no budget," he said. "And they don't know why other people want to break their stuff."

Stanislav and Lanier said their goal is to help those small vendors understand the importance of security, and in so doing, "help them stay out of jail," with an initiative called ""

More from SOURCE Boston:

-Cognitive bias: The risk from everyone in your organization

-Schneier: Internet has delivered a "golden age of surveillance"

The security problem is growing by orders of magnitude. Estimates of the number of embedded devices that will be connected to the Internet by 2020 range from Gartner's 26 billion to more than 50 billion from FTC Chairwoman Edith Ramirez, speaking at a workshop last November.

Lanier, pointing to hardware ranging in price from $25 to $169, said that each, "offers general purpose uses. You buy the thing, create an account and just write application code for it and it sends messages to whatever the device is. It's kind of SaaS that you can stick into something."

The point, he said, is that, "the barrier to entry (for developers) is very low. It is cheap hardware with unlimited possibilities."

And the cheaper it is, the more attractive it is to small developers who may be working out of their basements on shoestring budgets, but it is also much less likely to have rigorous security built in.

In what they called "A Case Study in IoT Failure IZON," the two said they had found 19 vulnerabilities, including unencrypted storage of customer data, information leakage, poor password security, lack of authentication for customer data and poor mobile security in a single IoT device.

No wonder, then, that the "challenges" to the industry include the security of just about everything involved the hardware, software, network and platform along with user awareness and behavior. If they are not addressed, IoT vulnerabilities could result in attackers getting control not just of your refrigerator and thermostat, but your garage door, door locks even the operation of your car.

Such things have already been demonstrated at conferences, and occurred in the real world. One, from January 2012, involved a hacker breaking into live feeds from 700 of TRENDnet's security cameras and making them available on the Internet. The company reached a settlement with the FTC that barred it from misrepresenting that its software is secure, but there were no reported financial penalties.

And a major barrier to addressing these problems, they said, is that users, "may not know, or care about installing updates. They just want to use the device."

So the goal of, they said, is to focus on the small vendors who don't have the budget or understanding of the need for security, build partnerships with them and educate them on best practices.

Their hope is to have the initiative, launched in February on a platform provided free by Bugcrowd, ready to launch in the next two months.

"We want to give vendors and researchers a say in how this works," Stanislav said, "and then we want to start finding bugs, rewarding researchers and solving problems."

Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade CommissionDuo SecurityapplicationsInternet of Thingsvulnerabilitysoftwaredata protection

More about Federal Trade CommissionFTCGartnerLanier AustraliaTRENDnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts