The explosion of the Internet of Things (IoT), as seen at CES 2016 in Las Vegas last week, and its implications on the cloud and cybersecurity.
The damage, the damnation, the truculent total churl of the CES 2016 was this: all of the new Internet of Thingies/IoT/KewlGear has no cohesive security strategy. It’s a mosh pit of certificates, easy-auth, Oh! Let’s Connect Our Gear Together! (add breathy sigh!) meaninglessness.
Let’s now take this in the curmudgeonly risk-averse cloud space, bit by bit:
- Yo, consumer, get the cool gear! Ignore the fact that we’re constantly sucking location-based data from your (fill-in-the-blank of wearble, drivable, or otherwise not tethered-with-a-power-or-Ethernet-cable product) into some database somewhere so we can glean as much intelligence (which will probably be ignored by anyone that might care or sold to some bidder that will use it for your personal actuarial assessment) as is possible!
- The example of the Internet Tea Kettle shows there is no long list of must-have-security for any of the devices seen. So any particular device is an unknown entity, in terms of systems security, whether it’s inside your ostensibly secure perimeter or reporting to the cloud. Worse, most wearable devices inside your physical secure perimeter are dutifully trying to report their data not only to the user, but to some mothership—from inside your offices, or home offices, or automobiles, including the auto’s data itself.
- Does this mean that we must now scan individuals walking into offices, plants, corporate/organizational traffic for their IoThingie devices? Each of these devices is as dangerous and rogue as the average smartphone, perhaps worse, as there is no security regimen in the industry relating to what data they use, keep, transport to a mothership, etc. Will these tiny devices start to clog up your wires, too? Will your cloud resources get bogged down by the importance of sending steps-walked data instead of line-of-business apps?
- The IoThingies have no secondary auth capabilities. Think about that, and the standard that your organization applies to fixed and mobile computing resources. Cringe. Consume Zantac. Rinse. Repeat.
- The cloud is seen by most IoThingies as the perfect place to store data, and most products come with the leech of requiring data to be stored somewhere. No one knows if their practices are as sloppy as Anthem, Target, or the OPEM. Perhaps they are better, I cannot know. But there is no inherent methodology to certify that even the most modest of security procedures are practices, not that a Good Housekeeping Seal of Approval is worth anything, anyway. There is no industry organization waiting in the wings to do these certifications, and Underwriters Laboratories, et al, haven’t been tapped on the shoulder by the insurance industry to motivate organizations to adhere to anything but basal liability.
- Drones. The FAA licensing is, at best, nihilistic. From my observations, there were more drone makers than tablet makers at CES 2016. Think about that. FAA licensing is also, at best, doing nothing for safety, industry, or users of drones. There is no inspection program, there is no safety program, there is no security program, there are only huge numbers of drones with cameras attached. Close your curtains. Is that a drone doing a video and some screen caps of YOUR R&D labs?
- Bluetooth as the control mechanism became real, as did combos of Zigbee, Bluetooth, and non-Wi-Fi data transports. Again, no security methodology, and no method to create a bastion perimeter. I saw that Yubico has a new product, the Yubikey NEO, which uses Near Field Communications (NFC) for smartphone auth, using the FIDO U2F standards. It’s a start.
- Some top traditional IT vendors are adapting to the sense that their business ecosystems can make headway into consumer products, via Microsoft in-dash products, Apple compatibility and sometimes blessings, but much is open source. Much is also NOT ABLE TO BE UPDATED. Software provenance in terms of what’s actually inside of a consumer product is often a secret sauce, and therefore a total mystery. What old versions of SSH or the root keys to an IoT device are lurking beneath the surface of innocuous devices?
Consumer and entertainment electronics are now “smart,” meaning rife with features, and that means microprocessors, FPGAs, and custom CPUs. In lieu of knowing what’s inside of these devices, you’ll need to shore up security, and be unwaveringly diligent, both in terms of local security and your cloud resources.
For two decades I’ve been warning that there is no such thing as a secure perimeter, and the IoT will pressure this point like nothing before in tech history.