Most electronic retailers these days have their showrooms locked down, but when absolutely everything on the showroom floor can be configured to talk to everything else, new physical and logical security strategies will need to be invented. Some adversary could walk into a store wearing a smart device, which then associates with something on the showroom floor that then begins exploiting more connections and pretty soon the entire showroom floor is a large botnet ready to point at a victim on the net. Remember, the Internet of Things is synonymous with the Internet of more Insecure Things.
Lastly, we come to the vendors of these magical devices. This consumer electronic industry does not have a great history in delivering security at time of shipment or even during the service life of the device. Given no compelling reason to change that behavior, we are likely to see an explosion of insecure devices being placed on the Internet and, when exploited, an excruciating long remediation window as no forms of automated updates will exist.
I can expand on how bad it will get before it gets better but I’d like to focus on what may happen to get us to a standard of care and security practice so that our future will suck less and be more awesome. If the Internet of Things expands at the rate that everyone predicts it will, I believe that there will be regulation like Underwriters Laboratories (UL) that can deliver on three important functions:
1) Ensure that the device pass a standard penetration evaluation such that the target surface out of the box is at a minimum (hardened).
2) Ensure that the device can report enough telemetry to a central source (leveraging IETF standards) for the continuous monitoring of its operational state and integrity.
3) Ensure that the device have a standards based way of updates such that when vulnerabilities and defects are found in the future, updating can be performed from a trusted source.
If at least these are met out of the gate, the future of the Internet of Things will suck less, and be more awesome.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.