BOSTON—Noted security experts Charlie Miller and Chris Valasek said the Internet of Things can’t be secure, but it can be tamed.
Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritize personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.
“We write code and we are not perfect. The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” said Miller, who along with Valasek are principal autonomous vehicle security architects at GM’s Cruse Automation. The comments were made during a keynote at the Black Duck Software’s Flight 2017 conference.
The problem, they said, is if a business’s core mission is not security or personal safety, it’s never going to be cost effective to build world-class security into the devices it makes. Device makers can’t sell great IT security as a product feature and can’t pass the cost on to the customer.
“A locked-down IoT toothbrush with a secure platform would cost millions to develop and millions more to maintain,” Valasek said. The cost to consumers would be $400 a toothbrush and would eventually fail against the $4 Internet-enabled toothbrush advertised with “good” security.
“Unlike a car salesman up-selling you to spend more on airbags, a software company can’t up-sell you on a security package,” Miller said. “A developer can’t tell a potential customer, if you want a security package with your software, that will cost you $1,000 more.”
The problem then becomes quantifying the type of security a product might need it. For example, there is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks. Prioritizing which needs more security is a challenge, they said.
Citing hacked insulin pumps, pacemakers and automobiles, both advocated the security community focus a disproportionate amount of time on those security challenges versus others.
“We learn from our mistakes. We were bad on security with a lot of these things like servers and browsers. And now we are better. And that’s fine,” Miller said. “People want to solve security. But you can’t. You are never going to make it impossible to hack something. But, you can make it really hard.”
Looking toward the future, autonomous vehicles present a special challenge, the researchers said. “Autonomous vehicles are the next-level things to worry about in hacking cars,” Miller said.
“When we were hacking Jeeps we had steering wheels and brake pedals to fall back on if a hack went wrong,” Valasek said. “Without either of those you’re screwed if your car gets hacked.”
“In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint allowed us to see the car’s head unit. With autonomous vehicles, they are designed to have outside input,” Miller added. Miller and Valasek said security needs to be the first thought and paramount with autonomous vehicles. For the bulk of companies building connected things, security shouldn’t be their primary concern.
“If you’re a company worried about being attacked, it’s not internet-enabled lightbulbs that you have to worry about. It wasn’t an Equifax toaster that lead to 145 million people who got their personal data leaked,” Valasek said. Thwarting server breaches and network hacks takes more conventional meat-and-potatoes security defenses.
“It’s fun to talk about hacking IoT devices. But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks,” Miller said. “Don’t be surprised if the IoT toothbrushes of the world get hacked. Focus on the important stuff.”