I often say to people, “Just because you can connect something to the internet, that doesn’t mean you should connect something to the internet.” Sure, it would be great to be able to log into a baby monitor while you are on a trip. But let’s face it, what is the value of doing that once a year and what is the cost of letting strangers around the world watch your child each night because you did not setup the security properly? Yes, it has happened time and time again. Next we discovered that connected insulin pumps could be hacked. Luckily, while the attacker needs to be in close proximity, this is an exploit that could be deadly. Finally the Mirai botnet attack became very public when the distributed denial of service (DDoS) attack essentially took down major web properties like Twitter by flooding their domain name service (DNS) provider with so many requests that servers were overloaded and traffic languished. This attack left millions of Americans unable to access web services throughout a large chunk of the country. As it turns out, the attack was performed by internet connected devices like web cams that had poor security.
Who is responsible? Who can we hold accountable? When compromises like this happen, it can cost companies thousands, millions or billions of dollars, with little or no recourse. If your supplier has a flaw in the products they provide to you, your company has a legal remedy to recoup losses, but what happens when it is a marginal manufacturer on the other side of the globe building insecure products that unwitting consumers are deploying, exposing a global infrastructure?
While I am not a fan of rules or regulations, this entire situation screams for a better solution than, “Eh, not my problem.” In a free society, manufacturers should have the ability to make any product that they want, but if you aren’t going to provide a secure product, where is the scarlet letter that should be posted on the box as a warning? How can a consumer tell if your product is secure or not? Additionally, we expect consumers to take some responsibility, we want them to be secure and follow good security protocols on their own networks, but if we aren’t laying out the details clearly, can we really expect them to be secure? The Internet of Things (IoT) has amped up the problem, as my colleague Mike Krell has recently pointed out. IoT is going to force billions of devices—many of which could fall into the “shouldn’t be connected to the internet” category—online, hopefully in a secure manner, but how do we ensure this.
(Source: John Fruehe)
To help promote healthy eating for Americans, all processed foods that are available for sale have a recommended daily allowance (RDA) for nutritional value listed on the side. Maybe it is “big brother” telling you what to eat, but with our current epidemic of obesity in this country, having more information about what you are putting in your body is just one modest way to help. And more importantly, raise awareness. Shouldn’t we be doing the same for connected devices and security? Shouldn’t we be raising awareness and also holding vendors’ feet to the fire on ensuring that they are creating secure products. After all, when these consumer products are compromised, real business impacts can occur and real money can be lost. What if there was a label that every manufacturer had to include on their box? Sure, it’s a free world and you can still ship a product with a password hard-coded in the firmware that cannot be changed, but when they do, shouldn’t that warning be on the outside of the box? Food has Nutrition Facts labels, tech should have Security Facts labels.
This could make manufacturers more likely to take security seriously and also provide a better tool for educating consumers. Just this past week I was raving about my connected garage door opener. For someone who gets about 3 blocks away and wonders, it is a great tool to keep me from turning around to drive back home. But when a friend in the security arena asked the obvious question, it dawned on me (the “security educated” consumer) that I had not checked. The good news was 128-bit AES between the system and the internet. The bad news was that there is a “proprietary encryption” between the door sensor and the gateway. That is something that as a consumer I should have researched.