As you shop for that new “smart” refrigerator that can do everything including figuring out when you’re low on milk, perhaps you should also think about the risk of some mischievous hacker taking control of it and having 5000 gallons of milk delivered to your door.
Unlikely, yes, but possible. And that’s just inconvenient. What about a hacker who unlocks your doors while you’re away?
That scenario is real. It has been demonstrated. Security experts have been saying for more than a decade that, in the world of electronic devices, “smart” does not mean secure. They have warned that if security is not made a priority, the convenience provided by those devices will be undermined by cyber criminals.
And most of them say things have gotten even worse since those warnings began, in part due to the explosive growth of consumer devices with embedded computers.
Helping 'things' compute
In an interview with PaulDotCom Security Weekly TV last February, Craig Heffner, a vulnerability researcher with Tactical Network Solutions, put it bluntly. “Go back 15 years in computer security, pick every problem we’ve had from then to now, and you’ll find it in embedded systems,” he said.
That would make it a problem growing by orders of magnitude. At a conference on the Internet of Things (IoT) last month, sponsored by the Federal Trade Commission (FTC), the agency’s chairwoman, Edith Ramirez, said the 3.5 billion sensors now on the network are expected to grow to trillions within the next decade. Indeed, many of today’s new cars already have more than 100 embedded, connected computers.
”Five years ago, more things than people connected to Internet,” she said. “By 2020, 90 percent of all cars will have some kind of vehicle platform, up from 10 percent today. By 2015, there will be 25 billion things hooked to the Internet. By 2020, that will grow to 50 billion. In the consumer market, smart devices will track our health, help us remotely monitor an aging family member, reduce our utility bills and tell us we’re out of milk.”
But all that, she said, will come with “undeniable” privacy and security risks. In response, she said, the stance of the FTC is that, “companies need to build security into their products, no exceptions.”
Perhaps some day. But according to most experts, the opposite is true—the exception is a smart product that actually has security as a key component. Heffner, who appeared on a panel discussing the “connected home” at the FTC conference, contended that, “consumer devices typically don’t have any security, at least not by today’s standards.”
In an interview, Heffner said the biggest reason for that is because “people don’t make purchasing decisions based on the security of a product. They do it based on the product’s features, looks and price. Why in the world would a company spend time and money on something that users don’t care about and will never see?”
Security 'hard to get right'
That has been the mantra of security guru Bruce Schneier, chief security technical officer at BT, for some time. In a blog post this past August, he said everything from consumer devices to massive industrial control systems have, “long been hackable.”
Why? Schneier blames both consumers and manufacturers, but mostly manufacturers. “Security is very hard to get right,” he wrote. “It takes expertise, and it takes time. Most companies don’t care because most customers buying security systems and smart appliances don’t know enough to care.”
Perhaps, at least so far, they have not been given reason enough to care either. While there have been impressive, and disturbing, demonstrations of how easily a skilled hacker can take control of home automation systems, including heat, air conditioning and door locks, there has so far not been any major consumer panic over those risks.
Consumers should not be expected to know enough to care, according to Schneier. “A lot of hacks happen because the users don’t configure or install their devices properly, but that’s really the fault of the manufacturer,” he wrote. “These are supposed to be consumer devices, not specialized equipment for security experts only.”
The standard response of manufacturers of smart devices has long been that making their products truly secure would make them too difficult for consumers to use—that security would undermine convenience.
Aaron Cohen, founder of The Hacker Academy, sees some merit in both arguments. While he has long been an advocate for building security into products, he said there has to be a balance between security and convenience.
”Most people put functionality ahead of security,” he said. “If you make your TV so secure that you can’t turn it on and off, you’re not going to sell many of them. If you unplug everyone’s computer, you’ll make them secure, but you’re not going to get any work done.”
Cohen advocates the Secure Software Development Life Cycle (S-SDLC), using methods of the Open Web Application Security Project (OWASP), which he said addresses the “low-hanging fruit” risks. And he said he thinks the industry should set priorities, with more focus on securing devices that lock or unlock a home than those that turn the heat up and down or hack a television.
He said much of the risk analysis can focus on financial incentives. “Until they (hackers) can monetize breaking into your TV, is that really the best way for them to make money?” he said.
The cost factor plays, too
Jeff Hagins, CTO and founder of SmartThings, who was also on the panel at the FTC workshop, is one of many who say security vs. convenience is a false dichotomy. Hagins told CSO he thinks it is cost, more than convenience, that trumps security, but that both can and should be a priority.
”Great user experience design is just hard, and yes, integrating security into a great design is also hard,” he said. “Consumers will adopt the products with the best experience and the features they need at the price they can afford. Maintaining this balance isn’t easy, but the companies that are successful with this balancing act, while making security features a priority, can win.”
There is some good news among the bleak predictions, according to Gary McGraw, CTO of Cigital and a long-time advocate of “building security in.” McGraw said that the FTC, under its previous CTO Edward Felten and current CTO Steven Bellovin, “has been extremely active in security and software security. Those guys are guru-level experts.”
McGraw said while security improvements in smart devices are, “not going to happen overnight,” that there is progress in “important areas, like mobile security.” Like Cohen, he said progress in appliances like refrigerators can come later. “You take care of the stuff that matters first,” he said.
There are mixed views about whether that is happening. The FTC’s Ramirez asserted at the recent conference that, “companies that don’t pay attention to their security practices may find that the FTC will.” She cited a recent settlement the agency reached with TRENDnet, after a hacker was able to break into live feeds from 700 of the company’s security cameras and make them available on the Internet.
But there were no reported financial penalties in that settlement—only that TRENDnet is barred from misrepresenting that its software is secure, that it must address security risks, help customers fix their software and obtain an independent assessment of its security programs annually for 20 years.
And Schneier and Heffner said they have not seen any progress in improving security. “The market just isn’t there,” Schneier said in an interview.
Heffner said he is, “very encouraged by the FTC’s recent actions and involvement, and I think it’s a step in the right direction. However, I can’t say that I’ve seen any sweeping changes in the security of embedded systems myself.”
There is also a range of views on what can and should be done. SmartThings’ Hagins said he thinks before increasing regulation from the FTC, “we as an industry need to take a crack at self-regulation with a certification program that is similar to PCI-DSS (the certification program for credit card and e-commerce transaction security).”
Heffner is dubious about the effectiveness of such an initiative. “The Internet of Things has been around for a long time—just without the silly name—and manufacturers have had years to regulate themselves,” he said. “I think it’s pretty clear that has failed. What is going to suddenly motivate them to start regulating themselves now?”
Heffner added that PCI compliance does not guarantee security either. “Just because you’ve checked all the boxes doesn’t mean that you can’t be hacked,” he said.
Patch Tuesday for the refrigerator?
Hagins and Schneier both say if security is going to improve in embedded devices, there will have to be a way to do updates, or patches, to fix vulnerabilities. “The ability to update software, even embedded firmware, is critical to the ability to address undetected vulnerabilities,” Hagins said.
”The big problem is that there is no way to patch them,” Schneier said, “and as these things proliferate, hackers are seeing that the better target is not the computer but the router (the way most home devices connect to the Internet).”
Ultimately, even though the consumer cannot be expected to understand software security, experts expect it will take consumer pressure for the security paradigm to change.
”Consumers think stuff is secure, even though nobody told them it is,” McGraw said. “So there is a big disconnect between implicit expectations of security and the real situation. Right now, they’re too psyched about how cool smart TVs are, but when their expectations go down in flames, consumers get mad. And then, companies will have a reason to respond.”
Once consumers understand the risks of insecure products, “they will vote with their feet when it comes to buying, recommending, and using devices,” Hagins said.
But that awareness may come at a painful price. Schneier, asked if he thinks it will take a high-profile, catastrophic hack of smart consumer devices to force the market to address security of those products, said, “Sadly, I think yes.”
This story, "Smart devices get smarter, but are still short on security" was originally published by CSO.