IoT Security: Beware Ghost Ships and Trojan Horses

I've had this article in my "to read" pile for a while:

IoT security: It's not to late to get it right!

Now I'm an optimist in general, so in my book that's an article worth reading. However I'm left unconvinced. It is too late. At least for the traditional approach advocated in the article. It's not that it's bad advice - it's great advice. It's just not going to work in the embedded environment with ever more capable devices.

Yes, shoddy IoT devices will be created, with shoddy implementations and poor security. This can and should be addressed along the lines advocated in this excellent article. The real issue though is not the stuff that's being sold now; it's when today's product, after moderate adoption, becomes tomorrow's "abondonware".

It's when today's product, after moderate adoption, becomes tomorrow's " abondonware".

The device creators move on, the players change strategy, new product lines come out; and the manufacturers cut their losses. I've seen it in several generations of network media players and mobile phones (early tasters of the IoT). TVs are likely to be the next following this arc to dangerous obsolescence - their life will be prolonged by the likes of FireTV or Chromecast. And they will continue running their built in Smart TV software as ghost ships, or once compromised - trojan horses, in our homes behind the firewall.

So how can the problem be tackled?

As a designer you must defend your IoT devices from other rogue devices within your home network perimeter:

1. Don't trust the local network and devices on it.
2. If possible build on a platform that will provide ongoing operating system updates directly from the OS vendor.
3. If running on a resource constrained platform like Arduino life is a bit trickier...watch out for a follow on post on this topic.

As a consumer:

1. Be wary of exposing sensitive systems to the internet. Look for a security whitepaper or evidence of security testing from the vendor.
2. Disconnect and dispose of legacy technology and set-top-boxes.
3. If you use a TV stick or set top box I would suggest disabling the wifi for the TV's native "smart" apps - especially if no longer supported and therefore no longer updated by the manufacturer - this should make the life of an attacker that bit harder.

IoT and home automation have the potential to revolutionise our lives, health, and work. However they come with risks - increasing our personal attack surface and the potential impact of security compromises. Many existing systems, open source, and closed, have been plagued with insecure implementations. This has resulted in consequences ranging from web cam spying, to unlocking garage doors, and even taking control of cars. A healthy level of caution should be applied, and potential impact of security failures carefully considered. Ask yourself, "what's the worst that could happen?", as part of your buying decision.

Ask yourself, "what's the worst that could happen?", as part of your buying decision.

I hope this has been of interest. Let me know your thoughts and concerns in the comments. 

Cheers
Andy

Want more news and thoughts on Information Security and emerging Science and Technology? Then please consider following me on twitter or LinkedIn by clicking the follow button above. You may also be interested in some of my other posts.

@andy_boura

Technology, science, and business geek: Information Security Architecture, Risk Management, Software Development, Entrepreneurship, Business & Management.