Unpacking IoT

 

Whether they are autonomous or need to be engaged with, billions of devices are out in the world, connected to the internet, doing something. Are these devices here to help us, hurt us, or both?

The technology we love can hurt us.
Like it or not, devices are part of our everyday lives. 50% of devices in hospitals are unmanaged and there’s a 2% growth every month in the number of devices. It’s like Shadow IT but for Smart Devices or what we call Shadow IoT. Overall, critical medical devices like glucometers and patient monitoring devices allow healthcare workers to provide better healthcare services. What comes with it, is exposure to risk. Recent attacks on hospitals caused shutdown on radiology devices and it is a growing trend not only in healthcare but other industries as well.

A tweet is probably more secure than an MRI machine.
A tweet we post is probably more secure than an image sent by a connected MRI machine.
It’s clear that some basic security controls are missing. Limited security, endpoint security, legacy technologies that are falling short, and large scale implementation of devices to name a few. Anytime a system is put out, it needs to be secured or it becomes leverage for someone else. We need to start creating secure devices in the first place and it starts with the programmers, suppliers, and manufacturers.

No time for security… It’s someone else’s problem.
There has been a big explosion in innovation with off the shelf components to create apps and devices and many of the creators don’t have the responsibility or know how to secure them. They are put on the internet without considering consequences. Folks on the business side are pushing their teams to develop new features and there isn’t time for security. It ultimately becomes someone else’s problems when it is too late.

When printers first came about in IoT, it was clear who they were manufactured by. Now, many devices come with other components under the hood by multiple manufacturers and the seller of the device is not the manufacturer. Who is tracking the integrity of that software? This includes weapons systems, medical equipment, and your smart devices. It is virtually impossible to make sure they are secure if you don’t know who made all the parts.

Remember when you used to be able to patch a device or software that had a known vulnerability? Those days are pretty much over. Nowadays, you don’t have additional patches that can be deployed without destroying a system.

Good developers create secure code from the get go.
Programmers and engineers should have security built into their skillsets. When code is bad it becomes exploitable. Good high quality code has security baked in. Security should be just a best practice and not an afterthought.

So what’s the solution?
The answer is put the device in the center and wrap it in a bubble… the likelihood of a smart device being breached is high, so we need to protect the blast radius if and when it gets compromised, then throw it out and get a new one. We need to think of a new way to build and modernize our networks. The network hasn’t changed, it just hasn’t adapted to handle the new devices.

Once upon a time, we had the network and the devices separated without thinking of all the controls we could put in place. We kind of forgot about the fundamentals.

Device central risk management can help if we think about protecting devices in three layers:

1. What you can do on the device (configurations, profiles, etc.)
2. What you can allow or block on the network
3. Connection to vendor management system support.

Ask yourself What is the risk of each device? Where is it located and what would happen if it got hacked? Would you be able to isolate the damage? All of these things plus enabling Multi Factor Authentication is key and can be done in a business environment as well as at home.

Our home is like a small to medium business.
How many computers do you have at home - 2-3? Think again… what about your HVAC, smart appliances, TVs, Smart Speakers, Laptops. You probably have 15-20 connected devices. This is equivalent to a small business and you need to treat it that way. People seem to prefer convenience over the risk of getting hacked. So ask questions, before buying a new Smart Device. How is it secured, what is it tracking and does it have multi factor authentication ? It’s really not that hard.

The Idea of a “Technology Seal of Approval”
Can we grade devices to help consumers make better decisions and take precautions? If you bring Alexa in, have you increased or decreased risk? To force change, we’d love for DevSecOps teams to be educated to provide a “seal of approval” or maybe even some sort of warranty. This would definitely help with the lack of accountability.

We know we’ll still have issues. Heck, tobacco companies warn us but we don’t listen. At the end of the day, nothing is bulletproof. All you can do is find the right balance between what to do and what to protect.

Resources

It’s 2020. Let’s Stop Saying “IoT.” article by Hod Fleishman

California IoT Law

Hosted by

  • Wizer’s hacker, Chris Roberts!

Thank you to our esteemed panelists: