- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - As you shop for that new "smart" refrigerator that can do everything including figuring out when you're low on milk, perhaps you should also think about the risk of some mischievous hacker taking control of it and having 5,000 gallons of milk delivered to your door.
Unlikely, yes, but possible. And that's just inconvenient. What about a hacker who unlocks your doors while you're away?
That scenario is real. It has been demonstrated. Security experts have been saying for more than a decade that, in the world of electronic devices, "smart" does not mean secure. They have warned that if security is not made a priority, the convenience provided by those devices will be undermined by cyber criminals.
And most of them say things have gotten even worse since those warnings began, in part due to the explosive growth of consumer devices with embedded computers.
In an interview with PaulDotCom Security Weekly TV this past February, Craig Heffner, a vulnerability researcher with Tactical Network Solutions, put it bluntly. "Go back 15 years in computer security, pick every problem we've had from then to now, and you'll find it in embedded systems," he said.
That would make it a problem growing by orders of magnitude. At a conference on the Internet of Things (IoT) last month, sponsored by the Federal Trade Commission (FTC), the agency's chairwoman, Edith Ramirez, said the 3.5 billion sensors now on the network are expected to grow to trillions within the next decade. Indeed, many of today's new cars already have more than 100 embedded, connected computers.
"Five years ago, more things than people connected to Internet," she said. "By 2020, 90% of all cars will have some kind of vehicle platform, up from 10% today. By 2015, there will be 25 billion things hooked to the Internet. By 2020, that will grow to 50 billion. In the consumer market, smart devices will track our health, help us remotely monitor an aging family member, reduce our utility bills and tell us we're out of milk."
But all that, she said, will come with "undeniable" privacy and security risks. In response, she said, the stance of the FTC is that, "companies need to build security into their products, no exceptions."
Perhaps some day. But according to most experts, the opposite is true -- the exception is a smart product that actually has security as a key component. Heffner, who appeared on a panel discussing the "connected home" at the FTC conference, contended that, "consumer devices typically don't have any security, at least not by today's standards."
In an interview, Heffner said the biggest reason for that is because, "people don't make purchasing decisions based on the security of a product. They do it based on the product's features, looks and price. Why in the world would a company spend time and money on something that users don't care about and will never see?"
That has been the mantra of security guru Bruce Schneier, chief security technical officer at BT, for some time. In a blog post this past August, he said everything from consumer devices to massive industrial control systems have, "long been hackable."
Why? Schneier blames both consumers and manufacturers, but mostly manufacturers. "Security is very hard to get right," he wrote. "It takes expertise, and it takes time. Most companies don't care because most customers buying security systems and smart appliances don't know enough to care."
Perhaps, at least so far, they have not been given reason enough to care either. While there have been impressive, and disturbing, demonstrations of how easily a skilled hacker can take control of home automation systems, including heat, air conditioning and door locks, there has so far not been any major consumer panic over those risks.
Consumers should not be expected to know enough to care, according to Schneier. "A lot of hacks happen because the users don't configure or install their devices properly, but that's really the fault of the manufacturer," he wrote. "These are supposed to be consumer devices, not specialized equipment for security experts only."
The standard response of manufacturers of smart devices has long been that making their products truly secure would make them too difficult for consumers to use -- that security would undermine convenience.
Aaron Cohen, founder of The Hacker Academy, sees some merit in both arguments. While he has long been an advocate for building security into products, he said there has to be a balance between security and convenience.
"Most people put functionality ahead of security," he said. "If you make your TV so secure that you can't turn it on and off, you're not going to sell many of them. If you unplug everyone's computer, you'll make them secure, but you're not going to get any work done."
Cohen advocates the Secure Software Development Life Cycle (S-SDLC), using methods of the Open Web Application Security Project (OWASP), which he said addresses the "low-hanging fruit" risks. And he said he thinks the industry should set priorities, with more focus on securing devices that lock or unlock a home than those that turn the heat up and down or hack a television.
He said much of the risk analysis can focus on financial incentives. "Until they (hackers) can monetize breaking into your TV, is that really the best way for them to make money?" he said.
Jeff Hagins, CTO and founder of SmartThings, who was also on the panel at the FTC workshop, is one of many who say security vs. convenience is a false dichotomy. Hagins told CSO he thinks it is cost, more than convenience, that trumps security, but that both can and should be a priority.
"Great user experience design is just hard, and yes, integrating security into a great design is also hard," he said. "Consumers will adopt the products with the best experience and the features they need at the price they can afford. Maintaining this balance isn't easy, but the companies that are successful with this balancing act, while making security features a priority, can win."