The Internet of Things provides manufacturers with a golden opportunity to reinvent the wheel. But with the connectivity comes a whole new level of responsibility.
Suddenly the onus is on the manufacturer not just for the first year of life of the product but for data protection and device security (potentially for the entire lifespan of the product in the form of software updates) with the ever-present danger of a total product recall.
You’d be forgiven then, for thinking that security would now be high on the list of priorities for IoT manufacturers. Unfortunately, this isn’t usually the case. We routinely disclose to IoT vendors and many don’t know how to respond. This is because disclosure is an unfamiliar concept to them. Sometimes they just don’t understand it, or question the motivation and methodology behind it. Sadly some choose to ignore it in the hope the problem won’t manifest itself.
So why are some IoT manufacturers so tardy? Apart from the fact this is a nascent market, there’s also the issue of complex design, production and marketing processes, all of which typically involve multiple partners. The IoT production process is a long and painful one, from securing funding to hitting targets to achieve time-to-market: the manufacturer needs to meet shipping deadlines, shareholder expectations, and peak sales periods, all while keeping down costs.
The disclosure problem is further compounded by the fact that many IoT innovators tend to be start-ups who are both inexperienced and commercially restricted. By 2017 Gartner estimates more than half of IoT products will be brought to market by companies less than three years old. For them, security is often perceived as an added cost and who’d want to hack the humble kettle/fridge/washing machine? But white goods can divulge surprisingly useful data.
That said, there are exceptions to the rule e.g. FitBit, an IoT manufacturer that specialises in smart fitness devices. We spoke with them earlier this year about a vulnerability we found in their Aria Scales. We were able to use them to take control of the user’s network. Responsible disclosure means that we’ll always talk to a manufacturer or vendor to help them fix any issues before it can be reported or published. In the space of a matter of weeks FitBit issued a firmware update. Kudos to them for hearing us out and having the processes in place to act on the intel.
The IoT industry needs help and it needs it fast. Fortunately, initiatives such as the IoT Security Foundation which launched in September, a not-for-profit organisation that comprises 45 UK companies whose primary remit is to tackle cybersecurity and promote best practice, are helping pave the way. But we also need some form of standardisation such as a variation of CERT perhaps with specialisation for key sectors (e.g. domestic, automotive, medical etc.) or some hardware-specific adaptation of the well established OWASP guidance.
In the meantime, what IoT vendors should be doing is responding to security researchers, ideally publishing their preferred route to be contacted and their desired disclosure process. By putting in place initiatives such as a bug disclosure program. A nice example is United Airlines bug bounty program, they give away frequent flyer points to researchers who point out flaws, and it's a great model.
A simple web page, an email address, and someone to handle it are all it takes to create a clear avenue for bug disclosure, in effect giving the manufacturer access to a free resource of intelligence. Use the security industry as your eyes and ears. Working together, we can all ensure the IoT dream becomes a reality rather than a misadventure to market.
Ken Munro, Senior Partner at Pen Test Partners
Image source: Shutterstock/a-image