Modern field guide to security and privacy
Jeremy Rowley fields questions from the audience at Passcode's Security of Things event on October 27, 2016.
Michael Bonfigli | Caption

We need cooperation to secure the Internet of Things

The processes and technologies to prevent digital malfeasance like the Mirai botnet are largely clear —if we can work together

It’s a common sentiment of internet-connected device owners and even some manufacturers that the security of an individual device isn’t so important.

After all, you might think, if it’s just a few commands being transmitted from my phone to my air conditioning unit to change the temperature in my house, in the grand scheme of things, what can a hacker really do with that?

Quite a bit, actually.  

Individual unsecured devices, especially consumer-facing ones, aren’t so dangerous by themselves, but they become more dangerous as a swarm. We witnessed just such a swarm on October 21, with the Mirai botnet assault on a portion of the Internet’s phone book (also known as a domain name server, or DNS) that shut down the internet on the East Coast.  

When individual devices aren’t secure, hacking into a large number of devices becomes as easy as hacking into one device.

But a large portion of the threat can be mitigated if companies and developers follow security best practices, many of which are well established and can be practiced today.

What’s hard isn’t the practices — it’s the coordination and cooperation necessary to succeed.

On a high-level, there are a few easy fixes: devices need unique identifiers; they need authorized users; the two previous data points (users and devices) need to be connected; packets of information sent between devices (air conditioner) and controllers (your phone) need to be cryptographically signed; and any updates to a device’s most core software (known as firmware) need to be similarly signed by the manufacturer as well.

By maintaining the security of the lanes of communication from users and developers to devices and thus cooperating across the Internet of Things ecosystem, hijacking individual devices becomes much more difficult and it becomes nearly impossible to take over a fleet of devices en masse.

Of course, all of this requires a key consideration on the part of device companies working in the Internet of Things: hard-coding good cybersecurity. The layers of security are undone if hackers discover device specifications that override security, such as hard-coded back doors or unchangeable default usernames and passwords.

The good news? These kinds of practices are being put in place now as the next generation of devices is being developed, spurred on by events like the Mirai botnet (the Chinese manufacturer whose devices formed a large base of the botnet recalled those devices).

A future where manufacturers and developers implement security procedures from the design stage through production isn’t just around the corner — but it is my hope that it’s coming sooner than many think.