Smart devices get smarter, but still lack security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/744756/smart-devices-get-smarter-but-still-lack-security

As you shop for that new "smart" refrigerator that can do everything
including figuring out when you're low on milk, perhaps you should also
think about the risk of some mischievous hacker taking control of it and
having 5,000 gallons of milk delivered to your door.

Unlikely, yes, but possible. And that's just inconvenient. What about a
hacker who unlocks your doors while you're away?

That scenario is real. It has been demonstrated. Security experts have been
saying for more than a decade that, in the world of electronic devices,
"smart" does not mean secure. They have warned that if security is not made
a priority, the convenience provided by those devices will be undermined by
cyber criminals.

And most of them say things have gotten even worse since those warnings
began, in part due to the explosive growth of consumer devices with
embedded computers.

In an interview with PaulDotCom Security Weekly TV this past February,
Craig Heffner, a vulnerability researcher with Tactical Network Solutions,
put it bluntly. "Go back 15 years in computer security, pick every problem
we've had from then to now, and you'll find it in embedded systems," he
said.

That would make it a problem growing by orders of magnitude. At a
conference on the Internet of Things (IoT) last month, sponsored by the
Federal Trade Commission (FTC), the agency's chairwoman, Edith Ramirez,
said the 3.5 billion sensors now on the network are expected to grow to
trillions within the next decade. Indeed, many of today's new cars already
have more than 100 embedded, connected computers.

"Five years ago, more things than people connected to Internet," she said.
"By 2020, 90% of all cars will have some kind of vehicle platform, up from
10% today. By 2015, there will be 25 billion things hooked to the Internet.
By 2020, that will grow to 50 billion. In the consumer market, smart
devices will track our health, help us remotely monitor an aging family
member, reduce our utility bills and tell us we're out of milk."

But all that, she said, will come with "undeniable" privacy and security
risks. In response, she said, the stance of the FTC is that, "companies
need to build security into their products, no exceptions."

Perhaps some day. But according to most experts, the opposite is true — the
exception is a smart product that actually has security as a key component.
Heffner, who appeared on a panel discussing the "connected home" at the FTC
conference, contended that, "consumer devices typically don't have any
security, at least not by today's standards."

In an interview, Heffner said the biggest reason for that is because,
"people don't make purchasing decisions based on the security of a product.
They do it based on the product's features, looks and price. Why in the
world would a company spend time and money on something that users don't
care about and will never see?"

That has been the mantra of security guru Bruce Schneier, chief security
technical officer at BT, for some time. In a blog post this past August, he
said everything from consumer devices to massive industrial control systems
have, "long been hackable."

Why? Schneier blames both consumers and manufacturers, but mostly
manufacturers. "Security is very hard to get right," he wrote. "It takes
expertise, and it takes time. Most companies don't care because most
customers buying security systems and smart appliances don't know enough to
care."

Perhaps, at least so far, they have not been given reason enough to care
either. While there have been impressive, and disturbing, demonstrations of
how easily a skilled hacker can take control of home automation systems,
including heat, air conditioning and door locks, there has so far not been
any major consumer panic over those risks.

Consumers should not be expected to know enough to care, according to
Schneier. "A lot of hacks happen because the users don't configure or
install their devices properly, but that's really the fault of the
manufacturer," he wrote. "These are supposed to be consumer devices, not
specialized equipment for security experts only."

The standard response of manufacturers of smart devices has long been that
making their products truly secure would make them too difficult for
consumers to use — that security would undermine convenience.

Aaron Cohen, founder of The Hacker Academy, sees some merit in both
arguments. While he has long been an advocate for building security into
products, he said there has to be a balance between security and
convenience.

"Most people put functionality ahead of security," he said. "If you make
your TV so secure that you can't turn it on and off, you're not going to
sell many of them. If you unplug everyone's computer, you'll make them
secure, but you're not going to get any work done."

Cohen advocates the Secure Software Development Life Cycle (S-SDLC), using
methods of the Open Web Application Security Project (OWASP), which he said
addresses the "low-hanging fruit" risks. And he said he thinks the industry
should set priorities, with more focus on securing devices that lock or
unlock a home than those that turn the heat up and down or hack a
television.

He said much of the risk analysis can focus on financial incentives. "Until
they (hackers) can monetize breaking into your TV, is that really the best
way for them to make money?" he said.

Jeff Hagins, CTO and founder of SmartThings, who was also on the panel at
the FTC workshop, is one of many who say security vs. convenience is a
false dichotomy. Hagins told CSO he thinks it is cost, more than
convenience, that trumps security, but that both can and should be a
priority.

"Great user experience design is just hard, and yes, integrating security
into a great design is also hard," he said. "Consumers will adopt the
products with the best experience and the features they need at the price
they can afford. Maintaining this balance isn't easy, but the companies
that are successful with this balancing act, while making security features
a priority, can win."

There is some good news among the bleak predictions, according to Gary
McGraw, CTO of Cigital and a long-time advocate of "building security in."
McGraw said that the FTC, under its previous CTO Edward Felten and current
CTO Steven Bellovin, "has been extremely active in security and software
security. Those guys are guru-level experts."

McGraw said while security improvements in smart devices are, "not going to
happen overnight," that there is progress in "important areas, like mobile
security." Like Cohen, he said progress in appliances like refrigerators
can come later. "You take care of the stuff that matters first," he said.

There are mixed views about whether that is happening. The FTC's Ramirez
asserted at the recent conference that, "companies that don't pay attention
to their security practices may find that the FTC will." She cited a recent
settlement the agency reached with TRENDnet, after a hacker was able to
break into live feeds from 700 of the company's security cameras and make
them available on the Internet.

But there were no reported financial penalties in that settlement — only
that TRENDnet is barred from misrepresenting that its software is secure,
that it must address security risks, help customers fix their software and
obtain an independent assessment of its security programs annually for 20
years.

And Schneier and Heffner said they have not seen any progress in improving
security. "The market just isn't there," Schneier said in an interview.

Heffner said he is, "very encouraged by the FTC's recent actions and
involvement, and I think it's a step in the right direction. However, I
can't say that I've seen any sweeping changes in the security of embedded
systems myself."

There is also a range of views on what can and should be done. SmartThings'
Hagins said he thinks before increasing regulation from the FTC, "we as an
industry need to take a crack at self-regulation with a certification
program that is similar to PCI-DSS (the certification program for credit
card and e-commerce transaction security)."

Heffner is dubious about the effectiveness of such an initiative. "The
Internet of Things has been around for a long time – just without the silly
name – and manufacturers have had years to regulate themselves," he said.
"I think it's pretty clear that has failed. What is going to suddenly
motivate them to start regulating themselves now?"

Heffner added that PCI compliance does not guarantee security either. "Just
because you've checked all the boxes doesn't mean that you can't be
hacked," he said.

Hagins and Schneier both say if security is going to improve in embedded
devices, there will have to be a way to do updates, or patches, to fix
vulnerabilities. "The ability to update software, even embedded firmware,
is critical to the ability to address undetected vulnerabilities," Hagins
said.

"The big problem is that there is no way to patch them," Schneier said,
"and as these things proliferate, hackers are seeing that the better target
is not the computer but the router (the way most home devices connect to
the Internet)."


Ultimately, even though the consumer cannot be expected to understand
software security, experts expect it will take consumer pressure for the
security paradigm to change.

"Consumers think stuff is secure, even though nobody told them it is,"
McGraw said. "So there is a big disconnect between implicit expectations of
security and the real situation. Right now, they're too psyched about how
cool smart TVs are, but when their expectations go down in flames,
consumers get mad. And then, companies will have a reason to respond."

Once consumers understand the risks of insecure products, "they will vote
with their feet when it comes to buying, recommending, and using devices,"
Hagins said.

But that awareness may come at a painful price. Schneier, asked if he
thinks it will take a high-profile, catastrophic hack of smart consumer
devices to force the market to address security of those products, said,
"Sadly, I think yes."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.