BOSTON—Noted security experts Charlie Miller and Chris Valasek said the Internet of Things can’t be secure, but it can be tamed.

Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritize personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.

“We write code and we are not perfect. The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” said Miller, who along with Valasek are principal autonomous vehicle security architects at GM’s Cruse Automation. The comments were made during a keynote at the Black Duck Software’s Flight 2017 conference.

The problem, they said, is if a business’s core mission is not security or personal safety, it’s never going to be cost effective to build world-class security into the devices it makes. Device makers can’t sell great IT security as a product feature and can’t pass the cost on to the customer.

“A locked-down IoT toothbrush with a secure platform would cost millions to develop and millions more to maintain,” Valasek said. The cost to consumers would be $400 a toothbrush and would eventually fail against the $4 Internet-enabled toothbrush advertised with “good” security.

“Unlike a car salesman up-selling you to spend more on airbags, a software company can’t up-sell you on a security package,” Miller said. “A developer can’t tell a potential customer, if you want a security package with your software, that will cost you $1,000 more.”

The problem then becomes quantifying the type of security a product might need it. For example, there is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks. Prioritizing which needs more security is a challenge, they said.

Citing hacked insulin pumps, pacemakers and automobiles, both advocated the security community focus a disproportionate amount of time on those security challenges versus others.

“We learn from our mistakes. We were bad on security with a lot of these things like servers and browsers. And now we are better. And that’s fine,” Miller said. “People want to solve security. But you can’t. You are never going to make it impossible to hack something. But, you can make it really hard.”

Looking toward the future, autonomous vehicles present a special challenge, the researchers said. “Autonomous vehicles are the next-level things to worry about in hacking cars,” Miller said.

“When we were hacking Jeeps we had steering wheels and brake pedals to fall back on if a hack went wrong,” Valasek said. “Without either of those you’re screwed if your car gets hacked.”

“In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint allowed us to see the car’s head unit. With autonomous vehicles, they are designed to have outside input,” Miller added. Miller and Valasek said security needs to be the first thought and paramount with autonomous vehicles. For the bulk of companies building connected things, security shouldn’t be their primary concern.

“If you’re a company worried about being attacked, it’s not internet-enabled lightbulbs that you have to worry about. It wasn’t an Equifax toaster that lead to 145 million people who got their personal data leaked,” Valasek said. Thwarting server breaches and network hacks takes more conventional meat-and-potatoes security defenses.

“It’s fun to talk about hacking IoT devices. But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks,” Miller said. “Don’t be surprised if the IoT toothbrushes of the world get hacked. Focus on the important stuff.”

Categories: Featured, Hacks, IoT, Web Security

Comments (14)

  1. Alec
    1

    False dilemma. This isn’t a question of “good security” vs. “great security”. The current issue with IoT is that millions of devices are shipping with NO security: default passwords that can’t be changed, software that can’t be updated, cloud services that do not support encryption. I don’t necessarily expect a lightbulb to get pen tested by the NSA but the current state of the art is laughable.

    Reply
    • Alter und Weiser
      2

      From the Company’s officers perspective, the security is good enough when it survives long enough for them to get their bonus payouts, IPO, next gig… The way to solve this problem is to lay personal liability on the officers of the company. Then you will get quality risk analysis and suitable risk mitigation.
      Until then, caveat emptor.

      Reply
  2. Neil
    3

    Well, If it is an “Internet Enabled Toothbrush” yes we can ignore for the most part of it. Unless you are the company who is getting attacked via DDOS by millions of compromised “Internet Enabled Toothbrush”. My question is what about a Windows IoT POS which is connected to your Organisation Server and to the Proprietary SW…?

    Reply
  3. Name
    4

    Correct me if i’m wrong, but the main problem with IoT vulnerabilities isn’t “oh no! my company will suffer a data breach”
    It’s more along the lines of “Wow, thousands of devices with shitty security allow people to leverage attacks like Miria, which can bring down ANYONE”.

    I know it’s the Tradgedy of the Commons, but we don’t security on IoT to protect our IoT devices, we need it so that, on a global scale, we don’t get more people sending DDoS at scales that can send a whole country offline.

    Reply
  4. Andy
    5

    I agree that securing these things for the most part is not feesible from a cost perspective. So we have to do what we can to keep them from being hacked and to keep them from being used in DDOS attacks. This is where the router manufactures have to step up their game. If they are properly secured it will drastically reduce the ability for IOT devices to be attacked.

    Having an insecure toothbrush or toaster is way less bothersome for me than a device that is designed and sold as a way to connect all of your stuff to the internet and give you protection, yet it is often the worst device on the network when it comes to security.

    Reply
  5. Syn
    6

    1. Basic security would be a massive upgrade. You don’t need world class security on every device.
    2. The ability to push updates as large vulnerabilities is going to be a must, otherwise even simple updates are all but impossible.
    3. The best solution is to lower the attack surface of your home or business network, only make something internet accessible if absolutely necessary. There is no need for an internet connected toothbrush. If you don’t connect your toothbrush to the internet it can’t be hacked.

    Reply
    • Eric
      7

      There is a need if I want to see how hard (too hard, too soft), how long, and what position the toothbrush was in. Was it just laying on the counter or were the kids actually using their toothbrush?

      Reply
  6. Michael
    8

    Seriously, did they factor in the ethics of their opinions. What happened to the consumer is always right. Products should be labeled as such – “Warning, this product is not secure.” the general public needs to know this.

    Reply
  7. Shari Lawrence Pfleeger
    9

    The security “experts” imply that if you pay enough, you can get perfect security — which is simply not true. Moreover, an insecure toothbrush could, with the right hack, give an electric shock to millions of users, something dangerous and perhaps even deadly. So the real question is: Why are we putting software in all these things? What’s wrong with a regular toothbrush? Why does everything have to be connected? Does your dentist really want a message whenever you brush your teeth? We in the software business need to be able to say, “you don’t need software in that,” or “your better off without software in that; it introduces too may risks that aren’t worth the beneifts.”

    Reply
  8. Renjith
    10

    The products where security cannot enforced need to be identified in a different class and the consumer should be educated for the negative impact. In the real world I don’t think that any entity would encourage this since this methodology is against the profit driven agenda, however a generic certification body should govern this and take responsibility.

    Reply
  9. Jason A
    11

    I don’t think that a thing should be an internet thing if it isn’t secure. I don’t see this as an issue. I think it’s OK if most things will never be on the internet.

    Reply
  10. Anon
    13

    lol sounds like a cop out on their end. Also who is it that wants an IOT tooth brush? people are just getting weird with what they want connected. “Look I did 200 brush strokes instead of 198 tonight YAY!!!”

    Reply
  11. Steve
    14

    Yeah this seems like, hey by the way don’t look at any other IoT security research as only our security research is important. Hacking jeeps is important, oh but wait did Mirai and Iotrooper use cars to spread malware..no it was by hacking these cheap devices only..so get over yourself..Charlie

    Reply

Leave A Reply to Steve Cancel Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>