Security expert Bruce Schneier has looked at and written about difficulties the Internet of Things presents – such as the fact that the “things” are by and large insecure and enable unwanted surveillance– and concludes that it’s a problem that’s going to get worse before it gets better.
What should enterprises worry about when it comes to the Internet of things?
What practical steps should a CSO/CISO take now, anticipating there will be this IoT to deal with?
There’s nothing you can do. This is very much like the computer field in the ‘90s. No one’s paying any attention to security, no one’s doing updates, no one knows anything – it’s all really, really bad and it’s going to come crashing down.
And it will be worse because these are going to be low-margin devices, low-cost devices. You update your computer and phone every three to five years. You update your thermostat approximately never. Home routers today. Do you know the way you patch your home router? You throw it away and buy a new one. And that is going to be a freakin’ disaster. This is a tough one. It’s like the computer ecosystem in the mid-90s but without things like the profit margin. Companies will make “the thing” and they just put it out there and then they make the next thing. There’s nobody left on staff to do updates, who knows how it works. It’s not like your OS. So when you look at the cars, the thermostats, the refrigerators – it’s going to be bad.
Home routers is where we’re seeing it right now. Low cost, binary blobs, no one knows how they work, there’s no one to update them, lots of vulnerabilities, and we’re just stuck with it. Look at routers. When you see where routers are you’ll see where everyone else is going. It’s not good.
Is there a way to predict what the likely problems will be that the CIO/CISO will face?
Yes. They will all happen, all the time. I can with 100% certainty predict the problems. There will be vulnerabilities, they’ll be exploited by bad guys, and there will be no way to patch them.
So then you’re talking about rip-and-replace with hopefully better secured replacements?
Hopefully but unlikely better.
Are you saying people pretty much haven’t learned anything from the earlier example of early insecure computers?
So it’s a different industry. This industry has learned from that industry. It’s the embedded people. Some are trying. The problem is going to be these are low margin, low cost, low quality devices. That’s what’s going to kill us. When you’re selling a $1,000 computer you’ve at least got a support staff. When you’re selling a 30-cent thermostat, potentiometer, pressure-detecting sidewalk square, smart light bulb – no one’s going to be left to care [about security].
Ultimately will there be better security in these devices?
Yes it will improve. We will solve this. This will not be the thing that kills our society. But it’s going to be a hard problem. And it’s going to be solved by weird stuff, like there’ll be security within the (network) because the endpoints are all crap.
Schöne Aussichten, die ganz und gar nicht zu den schönen Hochglanzversprechungen passen. Hier spielt auch wieder Schwarmdummheit eine entscheidende Rolle. Unsere erfolgreiche Entwicklungsgeschichte ist von Trial and Error gekennzeichnet. Nur vergessen wir hier, dass die Auswirkungen in vernetzten Systemen ganz andere als in Offline-Systemen sind.