Our Principal Security Engineer wrote up a list of IoT security predictions at the start of 2017 for ReadWrite. This is a midyear check-in on how those prognostications are panning out.
IoT Security Prediction Status
Prediction #1: Email security might become a hot topic. He wasn’t wrong. Security researcher Brian Krebs just posted a horrifying story about the perils blind trust in email, and the popular HBO series Game of Thrones announced that it now forces employees to use two-factor authentication in emails to avoid hack-related leaks and spoilers.
Prediction #2: Cloud-service security consolidation. Right again. He thought that large cloud-hosting operators would start expanding their offered services to handle more IoT security this year. In April, Microsoft released details about Project Sopris, and Cisco just expanded its IoT cloud security services via its $610M acquisition of Viptela, which is being rolled into its network and security business division.
Prediction #3: Legislation aimed at IoT security provisions. It has begun. In February, California State Senator Hannah-Beth Jackson introduced Senate Bill 327, which requires manufacturers to equip IoT devices with “reasonable security features appropriate to the nature of the device and the information it may collect, contain or transmit.”
Prediction #4: More Open Whisper-like deployments. Recently, The Internet Society advised the G20 to uphold the role of encryption as the foundation of all online transactions. As noted by an IoT end-to-end encryption proponent in InfoSecurity: “Machines have to be able to know which machine they are talking to…and to do this we need encrypted and private communication. This is why our IoT-driven future, where decisions are made and business is conducted in the cloud through machines, needs encryption. If government wants to have an e-enabled, information society of the future, encryption is a required ingredient, not an optional one that can be picked up or put down at will.” Which leads to…
Prediction #5: Vendors vs. government. Our expert saw the issue of cryptographic protection spiking in government v. corporation v. consumer showdowns in 2017 and beyond. This very topic was the subject of much debate after
U.S. FBI Director James Comey told the Senate that companies might be required to provide a means to break their own product security via backdoors or decryption schemes: “I could imagine a world that ends up with legislation saying if you are going to make devices in the United States, you figure out how to comply with court orders.” And in Europe, it has become politically popular to tie strong encryption and user privacy policies to terrorism. The debate rages on.
IoT Security Context
The problem of digital insecurity stretches beyond our smartphones and smart things and seems to touch every sector. Last year, hackers doxed thousands of U.S. federal employees and, in separate incidents, user-information was stolen from LinkedIn, Yahoo, Dropbox, Oracle, and a long list of others. There were a series of IoT-powered DDoS attacks courtesy of Mirai botnets-for-hire, highly publicized ransomware hacks, and U.S. presidential campaign accusations about state-sponsored cyberwarfare. Zombie IoT devices play a big part in this miasma, as both victims of hacks and power sources for further cyber villainy.
So, who is too blame? As SecurityIntelligence recently reported, “The challenge, in a nutshell, is that there are currently no clear lines of responsibility when it comes to IoT and mobile security.” That makes for a troubling landscape.
But as our expert noted in ReadWrite: “Sufficient information security has always been a moving target and there are armies of smart and thoughtful professionals laboring to hit the mark… As reliance on IoT and big data continue to transform our personal habits, businesses, and governments, perhaps the only upside of the bad news is that it may motivate us all to pay more attention and expend more effort in safeguarding both our information and the legitimate systems that make use of it.” That’s an IoT security lesson we would all do well to revisit often.