Fixing the Internet of Things
by Tim Keanini - CTO at Lancope - Friday, 24 January 2014.
It is the VAR that can help a consumer design and manage the system so that all of the benefits from the Internet of Things can be experienced, but the risks kept to a minimum. It offers one throat to choke when something goes wrong with any one of the 50+ different vendor’s products now operating in your home and daily life.

Most electronic retailers these days have their showrooms locked down, but when absolutely everything on the showroom floor can be configured to talk to everything else, new physical and logical security strategies will need to be invented. Some adversary could walk into a store wearing a smart device, which then associates with something on the showroom floor that then begins exploiting more connections and pretty soon the entire showroom floor is a large botnet ready to point at a victim on the net. Remember, the Internet of Things is synonymous with the Internet of more Insecure Things.

Lastly, we come to the vendors of these magical devices. This consumer electronic industry does not have a great history in delivering security at time of shipment or even during the service life of the device. Given no compelling reason to change that behavior, we are likely to see an explosion of insecure devices being placed on the Internet and, when exploited, an excruciating long remediation window as no forms of automated updates will exist.

I can expand on how bad it will get before it gets better but I’d like to focus on what may happen to get us to a standard of care and security practice so that our future will suck less and be more awesome. If the Internet of Things expands at the rate that everyone predicts it will, I believe that there will be regulation like Underwriters Laboratories (UL) that can deliver on three important functions:

1) Ensure that the device pass a standard penetration evaluation such that the target surface out of the box is at a minimum (hardened).

2) Ensure that the device can report enough telemetry to a central source (leveraging IETF standards) for the continuous monitoring of its operational state and integrity.

3) Ensure that the device have a standards based way of updates such that when vulnerabilities and defects are found in the future, updating can be performed from a trusted source.

If at least these are met out of the gate, the future of the Internet of Things will suck less, and be more awesome.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th