Internet-enable everything, but ignore security at your peril: that was the recent message from internet guru and known IoT skeptic, Vint Cerf.
As part of an ACM panel celebrating 50 Years of the Turing Award, Cerf told members of the Association for Computing Machinery (ACM) that IoT companies and developers need to be more aware when it comes to security.
“The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system and providing convenient user access to those devices.”
Don’t Run Before You Can Walk
Although Cerf has long been wary of plugging everything and anything into the internet (essentially the core principle of IoT), he admits that he is more open to the idea than he once was. However, with the news of the Mirai and other malware targeting unsecured IoT devices such as webcams to the Dyn servers getting lots of publicity last year, Cerf is concerned that his suspicions have been proven right and urges developers not to run before they can walk.
In fact, even though Cerf recently described some of the trends that led to the Dyn attack as “irresponsible” behavior, he’s not the only voice calling for more to be done. The UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) recently called the threat of cyber-attacks “significant and growing.”
Focusing again on IoT, a joint report from the two agencies outlined how easy it is to find vulnerable devices online. “It is assessed that huge numbers of insecure devices can easily be found online,” the report states in reference to 41,000+ units of one insecure model of DVR currently connected to the internet.
Don’t Ignore Basic Security Practices
The Cyber-Threat to UK Business report for 2016/2017 outlines three areas where companies working with IoT need to do more. The first and most important was protection against the very basic attacks, such as SQL injections. Despite SQL injections being well understood, many companies appear to be neglecting standard security practices when it comes to IoT devices.
As highlighted by Incapsula, there are “several effective ways” to prevent SQL injection attacks, with the first step being input validation. By writing code that can identify illegitimate user inputs, developers stand a better chance of creating an app that’s secured against these sorts of attack. However, this goes back to a point raised by Cerf: sadly, some IoT developers are guilty of using open source software they haven’t adequately looked into, jamming it into a device and sending out to consumers without considering its security first.
Even if companies aren’t directly involved in writing or amending the code, it should be their first priority to vet it and ensure it falls in line with well-known security protocols such as input validation. By missing these vital steps, IoT developers are not only putting their own and other businesses at risk, they’re creating problems for end users – and furthermore, as we’ve seen with the botnet attacks, for the rest of the internet too.
Don’t Fall Foul of the Law
When Mirai struck back in 2016, Dyn was forced to absorb the costs resulting from an outage that saw an array of high-traffic sites and services such as Netflix taken offline. However, as attorney Michael Zweiback has pointed out, device makers could ultimately be in the firing line when it comes to who is held accountable in such cases. Speaking to Fortune about the incident, the Alston & Bird representative said that government agencies may be in a position to sue companies selling unsecured products.
With this being the case, it seems as though Cerf’s warning may not only be worth listening to from a tech perspective. If IoT device manufacturers are found to be liable for any cyberattacks proliferated through their unsecured products, the costs could quickly add up. While there’s no doubt IoT is an exciting area of business at the moment, there’s also no doubt that security shouldn’t play second string to innovation.