Hacker Bonanza Ahead

A complex supply chain and the lack of direct liability means many devices aren’t going to be secure enough.

popularity

Always on, always connected—and therein lies the danger. With the world going to a 24/7 online presence, the hacker’s universe of opportunity is never closed. And once the IoT gets everyone and everything connected, hackers will have an even more bountiful playground.

Just recently, HP did another one of its hacker studies. The Fortify application security unit did an analysis of what will likely be some of the most popular consumer IoT devices: TVs, webcams, thermostats, remote power systems, sprinkler systems, hubs/routers, door locks, alarms and garage door openers. It found not less than 250 different security vulnerabilities across the product lines.

A couple of years ago I had written something similar to this and the numbers were about the same. It seems that we haven’t learned much in a couple of years, at least not at the consumer end. But I have gotten a lot smarter about this issue since then, working on the security an IoT beat here.

But our industry has been trying – and succeeding – at least at the chip level. My contacts at NXP, Rambus, Kaspersky, Chaologix, Arteris, Infineon, Chipworks, and so many others that are the top of the cryptography class, give me tons of data on what they are doing to secure chips and peripheral segments. Cryptography has come a long way. Today there shouldn’t be a single IoT device out there that is vulnerable. But most are vulnerable, so it shouldn’t be a surprise that the HP results are what they are.

You can blame all of this on an enormously complex, highly competitive and largely disaggregated supply chain. Vendors and manufacturer face no direct fallout from poor security, and there is no compelling business reason—at least not yet—why they should. So far the end user has had to shoulder all the risk. Looking at the many breaches that have occurred at major corporations such as Target, Home Depot, Chase, none has paid a dime to a consumer whose identity has been stolen. Nor has a device vendor compensated a consumer for a router, thermostat, toaster, or refrigerator that was hacked.

There is the argument that the end user should be smart enough to provide their own security. And with devices such as smart phones tablets, computers, and the like, that argument has some credibility. But for an appliance, baby monitor, or toothbrush, the average consumer should be confident there is a decent level of security right out of the box. And that needs to happen at the chip level.

So…playing this forward, the more things change, the more they seem to stay the same. And for the IoT that is bad news. For the hackers, there is a brand new, wide open playground.