Just because something is scary doesn’t mean it’s a figment of your paranoid imagination.
That is Joshua Corman’s response to those who say there is too much unwarranted FUD (fear, uncertainty and doubt) regarding the lack of security in the Internet of Things (IoT), which is rapidly evolving into the Internet of Everything.
There is reason to be afraid, he said, because the dangers in the digital “ocean” are as real as swimming in a physical ocean of sharks, with blood in the water.
Corman, CTO of Sonatype and one of the featured speakers at the Security of Things (SECoT) Forum in Cambridge, Mass. on Wednesday, used that image for the title of his talk, “Swimming with Sharks – Security in the Internet of Things.”
As he and other speakers throughout the day noted, the attack surface of the IoT is growing exponentially. Most estimates are that there are at least 10 billion “things” now connected to the Internet, with that number expected to reach anywhere from 50 billion to more than 212 billion by the end of this decade, with 30 billion of them self-governing and “autonomous.”
And so far, there is no “cavalry” coming to save the public from IoT threats. It is up to the security community, he said, to “be the voice of reason” and to call for public policy makers to improve “technical literacy.” Corman’s latest project, @iamthecavalry, is an effort to bring security awareness regarding the IoT to the grassroots.
That, he said, is because there is plenty of information about cool features and convenience from embedded smart devices (remote door locks, automatic insulin pumps, self-driving cars), but not so much about the risks.
“A bedrock principle is that everything we do is based on risk v. reward,” he said, “but right now, our understanding of the risk is not based on complete information.”
The reality of the IoT, he said, is that, “right now the sharks outnumber the good guys.” Instead of Advanced Persistent Threats (APTs), he said it would be better to think of Advanced Persistent Adversaries. “They’re a different kind of shark. It’s a very serious problem – not really a ‘what’ but a ‘who’ and ‘how.’ And we are losing. Our best and brightest are spending millions and billions on security controls, but there are still breaches on regular basis. “
One of the reasons for that is that “offense is easy, but defense is hard.” That has been proved by Anonymous, he said, the loose hacktivist collective that Corman spent some time studying as a “species of predator.” What he found was that the group, in spite of being populated by relatively unsophisticated people using rudimentary tools, “they made up for it with will power. They went on a 50-day rampage called the Summer of Lulz and pretty much took down anyone and everyone they wanted with great success. They held up a mirror to our neglect. They showed how badly we’ve operationalized basic web security.”
Most important, he said, “they revealed that hacking power existed and was available to anyone. And this has big implications for the IoT,” especially given the growth of our dependence on it.
“If you ask: ‘Are we getting better or worse at security?’ given that our dependence on the IoT is growing faster than our ability to secure it, I don’t see the evidence that we are getting better.”
There is plenty of troubling evidence of the lack of security he said, noting the recent demonstration by hackers that they could breach the control systems of modern cars, including the airbags, seat belts, brakes and even the steering wheels. He said a friend of his who is diabetic was able to hack his own insulin pump, and demonstrate that an attacker could deliver him a lethal overdose.
The response, when he informed his doctors and the manufacturer of the pump, he said, was simply, “We comply with FDA standards.”
Internet-connected door locks that can be opened or closed remotely, “are supposed to keep bad guys out, but they can all be undermined to let bad guys in,” he said.
And at the regional level are Industrial Control Systems (ICS) for utilities like water, sewer and the electrical grid that have hard-coded passwords, making them far too easy to hack.
Without public pressure, he said, things are unlikely to change unless there are some high-profile, catastrophic failures of systems. “If it’s about public safety and public good, then the public needs to be part of the discussion. And we need to be ambassadors for digital literacy.
“No one is coming to save us,” he said, “so it is worth trying. “We are adrift, and blood is in the water.”