Modern field guide to security and privacy

We need cooperation to secure the Internet of Things

The processes and technologies to prevent digital malfeasance like the Mirai botnet are largely clear —if we can work together

Michael Bonfigli
Jeremy Rowley fields questions from the audience at Passcode's Security of Things event on October 27, 2016.

It’s a common sentiment of internet-connected device owners and even some manufacturers that the security of an individual device isn’t so important.

After all, you might think, if it’s just a few commands being transmitted from my phone to my air conditioning unit to change the temperature in my house, in the grand scheme of things, what can a hacker really do with that?

Quite a bit, actually.  

Individual unsecured devices, especially consumer-facing ones, aren’t so dangerous by themselves, but they become more dangerous as a swarm. We witnessed just such a swarm on October 21, with the Mirai botnet assault on a portion of the Internet’s phone book (also known as a domain name server, or DNS) that shut down the internet on the East Coast.  

When individual devices aren’t secure, hacking into a large number of devices becomes as easy as hacking into one device.

But a large portion of the threat can be mitigated if companies and developers follow security best practices, many of which are well established and can be practiced today.

What’s hard isn’t the practices — it’s the coordination and cooperation necessary to succeed.

On a high-level, there are a few easy fixes: devices need unique identifiers; they need authorized users; the two previous data points (users and devices) need to be connected; packets of information sent between devices (air conditioner) and controllers (your phone) need to be cryptographically signed; and any updates to a device’s most core software (known as firmware) need to be similarly signed by the manufacturer as well.

By maintaining the security of the lanes of communication from users and developers to devices and thus cooperating across the Internet of Things ecosystem, hijacking individual devices becomes much more difficult and it becomes nearly impossible to take over a fleet of devices en masse.

Of course, all of this requires a key consideration on the part of device companies working in the Internet of Things: hard-coding good cybersecurity. The layers of security are undone if hackers discover device specifications that override security, such as hard-coded back doors or unchangeable default usernames and passwords.

The good news? These kinds of practices are being put in place now as the next generation of devices is being developed, spurred on by events like the Mirai botnet (the Chinese manufacturer whose devices formed a large base of the botnet recalled those devices).

A future where manufacturers and developers implement security procedures from the design stage through production isn’t just around the corner — but it is my hope that it’s coming sooner than many think.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.