IoT Patching is Not Likely to Happen Soon
IoT Patching is Not Likely to Happen Soon
The federal government has issued its guidance for manufacturers of Internet of Things (IoT) devices. In November, 2015, the Department of Homeland Security issued its Strategic Principles for Security the Internet of Things. The main tenets are to 1. build security in at the design stage and 2. make these devices, CCTV cameras, inspection drones, warehouse robots, control systems for security doors, fire suppression, etc. updatable over the network. Great. Good ideas.
But I am afraid this is not going to happen for a long time. Look how long it took Microsoft to get to the point where patches are created, tested, and pushed out on a timely basis. After the famous Bill Gates email of March 2002, the story goes that Microsoft stopped all development for a year as it retooled and taught all developers about coding better products with an eye towards security. Patching had become such a burden that they switched to monthly patches on the 2nd Tuesday, which became the tempo of every IT department. Yet some of the most disastrous worms, viruses, and ransomware still spread through vulnerable Windows systems. Think SQL Slammer that almost brought the Internet down on January 25, 2003, MS Blaster of August 2003, Wannacry in May of 2017, or Notpetya of June 2017. It took 15 years for Microsoft to get to where they are today. And of course there are still hundreds of thousands of organizations that are not plumbed to accept, test, and distribute patches in a timely manner.
And we expect a small manufacture in Korea or Germany to establish the same capability for their products? I don’t think so. There is just no incentive to add security in from the beginning.
Say you are a fresh startup. You raised excitement for your new widget with a Kickstarter campaign. You raised enough money to prototype it. You are a coder, and your partner has hardware experience. Are you going to hire a security person to review your design? Are you going to include some sort of Trusted Platform Module (TPM) or other way to store digital signatures to verify updates?
You want your product to be plug and play. How are you going to ensure that each customer creates unique (and strong) credentials to setup and manage the widget? After six months and they finally decide to login to change a setting how do you handle password recovery? Did you provide an app so they can use their authenticated smartphone to do it? What if they switched phones in the meantime?
Compare all those requirements to just getting the product working and out into the world. No one cares if your security is lacking when there are only a hundred devices in the hands of early adopters. It’s only after you get to a million devices and VCs are dumping money into your startup and you are on a roll that the vulnerabilities in your pet will be discovered and widely exploited. By then you will have plenty of developers, lawyers, and PR people to handle the issue. Why can’t you follow Microsoft’s example and wait until there is a problem?
I have seen a few products launch with security in mind. I have done end-to-end security assessments for them. None of them have made it into the mainstream. Security still does not sell. Cool sells. Convenience sells. Ease of use sells.
Remember when Twitter surpassed a million users and was still allowing simple passwords and doing zero throttling of multiple login attempts? A kid in LA set up a script to run a dictionary attack against celebrity accounts. He let it run overnight and by the morning was Tweeting on several accounts. Twitter only layered in security after it became necessary. By then they had millions of users and were growing and had the resources. If the first thousand Twitter users had been asked to provide their phone number for SMS verification there would not have been a first thousand users.
Google too. And don’t get me started on Facebook, which is exploring new realms of vulnerability to new types of attacks.
So be prepared for a continuous stream of hackable devices making their way into every part of our infrastructure, your business, and our homes.
There will be dozens of startups that create layers of security to fix the IoT problem. In the meantime, manufacturers of devices may at least start thinking about the Federal guidelines. Maybe they will build in the hooks for an eventual patch management capability and think about better means of authentication.