One thing everyone should know about the so-called Internet of Things, Gary McGraw recently said, is "Internet" is the collective noun for "things." So just as you can have a flock of geese, you can have an Internet of Things.
Fortunately, McGraw had other insights to offer in this interview, recorded at the 2015 RSA Conference. SearchSecurity editorial director Robert Richardson sat down with McGraw to discuss Internet of Things (IoT) security concerns and the prospects for security as IoT emerges.
"I think what's happening … is that you also have this consumer-facing stuff. And basically you have this tech that's almost free. I mean, why not stick an 8088 chip in there. It's probably more expensive to store that thing in a warehouse than it is to stick it in a dishwasher, so what the hell? So what if your dishwasher had six states -- now it has a Turing machine.
"So I think that tech stacks and the widespread availability of Wi-Fi everywhere makes this almost inevitable. The challenge of course is that, once you have a computer in your dishwasher or your refrigerator, the fun begins from an attack perspective."
As a somewhat lighthearted example, McGraw noted that "if your refrigerator can order milk, an attacker can order a lot of milk … all of the milk! It's like 'Why did all of the milk come to my neighborhood?'"
As for the question of how to manage the APIs that objects will use to talk to other objects and services, McGraw noted that "from a design perspective, what that brings up immediately is 'what are the trust boundaries?' You have to think of trust as a contextual exercise. And you can't say, 'Well, I own it, so I trust it.' That's a little vague. You're going to want to trust your dishwasher less than you trust your Nest thermostat."
Where you need more trust, McGraw argued, is where the trusted object is capable of causing more damage if that trust is violated due to a malicious attack.