CAMBRIDGE, Mass. -- According to a number of security luminaries, the Internet of Things has the potential to disrupt and transform society in the same way the printing press did centuries ago. But much like the Internet's creators came to regret ignoring security in its early days, when it comes to securing the millions of emerging Internet-connected devices and machines, the information security industry may already be falling behind.
That was the overarching theme of Wednesday's inaugural Security of Things Forum, uniting security professionals to discuss the most pressing Internet of Things security issues. According to a recent report from Gartner Inc. -- which estimated 26 billion devices will be connected to the Internet by 2020 – Internet of Things (IoT) security problems will force enterprises to rethink their IT security strategies much in the same way bring your own device and cloud computing have shattered the idea of the traditional network perimeter.
"Every time we have a major infection point, we seem to make the same mistakes," said Earl Perkins, research vice president with Stamford, Conn.-based Gartner. "We allow it to get away from us and end up playing catch up for the next five to 10 years."
Dan GeerCISO, In-Q-Tel
Josh Corman, chief technology officer for Fulton, Md.-based application security vendor Sonatype Inc., warned attendees that the battle to secure IoT may already be slipping away from the industry -- and that's before billions of home appliances, motor vehicles and medical devices join the fray.
IoT devices at risk
For example, last year researchers Charlie Miller and Chris Valasek showed how cars could be hacked remotely, said Corman, with the duo demonstrating the ability to disable a car's brakes, accelerate its speed and even take full control of the steering wheel. Corman admitted that even he had not understood the extent to which cars are controlled by software.
"We're driving a computer on wheels," Corman said. "For the next 24 hours, every time you see the word 'software,' replace it with the word 'vulnerable.'"
Corman also pointed to research by the late Barnaby Jack to hammer home just how insecure IoT devices are today. Starting in 2011, Jack demonstrated on multiple occasions how hackers could control the dosages delivered by insulin pumps to diabetics via a Bluetooth connection, potentially exposing victims to lethal amounts.
Ultimately, he said, the general public and the manufacturers of such devices are unlikely to take security concerns seriously until real-life, catastrophic events take place -- much in the same way environmental regulations in the U.S. weren't embraced until the Cuyahoga River in Ohio caught fire in the 1960s, sparking a wave of concern.
"Why the heck is there Bluetooth on an insulin pump?" said Corman, who questioned whether the benefits of Internet-connected devices actually outweigh the risks. "[It goes] back to that cost benefit. We're taking the benefits, but we're not assessing the risks."
Dan Geer, chief information security officer for Arlington, Va.-based In-Q-Tel, a government-funded investment firm that helps incubate technology for the CIA, said the benefits of IoT are driving society to be increasingly dependent on machines that communicate with each other. In terms of how IoT already affects the U.S. food supply, Geer said tractors on farms are connected to GPS, vegetables and fruits are sorted by robots, and even livestock are tagged with RFID chips; the efficiencies derived from that interconnectedness means there is never more than a week's supply of food in the chain.
Whereas those embedded systems have in the past remained unconnected from the Internet, Geer warned attendees that as manufacturers seek to control such systems remotely, the risk posed by that new connectivity may not be easily contained.
Considering that embedded systems manufacturers to date haven't often provided firmware updates, Geer questioned whether such "immortal" IoT devices -- always connected but lacking security support -- would be angelic or demonic.
"The longer-lived these devices [become], the surer it will be that they will be hijacked within their lifetime," Geer said. "Their manufacturers may die before they do; a kind of unwanted legacy much akin to superfund sites and space junk. The Internet of Things … should raise hackles on every neck given our current posture."
How to secure IoT devices
While the security industry is just beginning to come to grips with IoT, Geer said the industry also needs new technologies to secure IoT. Unfortunately, Geer indicated such investments are unlikely in the short term because nobody wants to fund them.
Hypothetically, he said, a company could offer technology that would lock down, say, a processor once it leaves a fabrication factory -- potentially preventing attackers from inserting backdoors at the hardware level -- but it's unclear to him which stakeholder in the supply chain would be willing to buy such a product.
For attendee Mark T., a long-time investor in sensor-related startups, the impetus for better IoT security measures needs to come from the businesses utilizing IoT devices. In a previous venture, Mark said his company had created sensors for the restaurant industry that measured waste runoff from grease traps and the like -- a product for which he did not implement any security controls because he assumed restaurants would not care. Surprisingly, he was forced to reassess that assumption when restaurants requested certain security features based on industry regulations.
"I put in a PIN and that made them happy enough," said Mark T., who noted that the fear of regulatory fines was the driving factor for his customers, not security concerns.
Corman said manufacturers of IoT devices are unlikely to consider implementing better security measures unless customers are willing to press for change. In the case of Jack's insulin pump hack, for example, Corman implored attendees to question their own personal doctors about the incident and the general security of other medical devices, with the hopes that doctors and hospitals, the largest purchasers of medical equipment, would take those concerns to the manufacturers.
Corman said -- given that defending IoT devices is much more difficult than attacking them -- consumer pressure is needed sooner rather than later.
"Are we too early or too late? In some ways, I think we're too late," Corman said. "Our best and brightest are spending billions of dollars on security controls -- and even in areas that don't matter that much [like securing easily replaceable credit cards] -- and we're still having breaches on a regular basis. This has pretty big implications for the Internet of Things."