Image thanks to courtesy of toptal.com
Normally I don’t comment on products/industries security because I believe that market is the best arbiter and I just got other stuff to worry about, but IoT is different. IoT are products of high interest of regular non-techy people, who have no clue about security aspects of the shiny WiFi-managed light bulb they just bought on Aliexpress for $3.Only InfoSec professionals can change the status quo in the market largely represented by people buying IoT devices for personal usage.
I see tons of articles about IoT security, all is pondering and crying how bad it is, but let’s talk practicality as those whining articles bring no actual value except of spreading FUD.The truth is that we — InfoSec professionals — failed to secure IoT. It has been crystal clear since ever that most vendors don’t want to spend money on security because it doesn’t directly impact revenue, and for some reason we hoped that IoT is going to be different.I do partially get it why it happened, and I’m far from blaming anyone because I myself haven’t done anything to improve world of IoT security — just saying what it is all about.There are so many vendors of smart devices that we aren’t capable of keeping eye on all new things that are coming out, but there is a hope if we change our strategy. Just take a look on Taviso and how he scared the shit out of AV vendors and made them improve their security.IoT is big and there is gazillion of vendors, so we need more Tavisos of IoT world who are not scared to step out and disclose the dumb security holes left in IoT devices.
I’m not big in IoT pentesting or anything, but when I buy SmartTV for half of my monthly paycheck I can expect it won’t be downloading updates via http and send login credentials in plaintext — or is that too much to ask for?It’s 2016 and if vendor of smart devices doesn’t allow to change default password, webapp contains trivial vulns or doesn’t offer an easy way to do an upgrade, it should go out of business. IoT went too far out of control and I’m all in for public shame&blame for businesses that fail in basics — surely with sane balance and most likely with responsible disclosure, tho without too much indulgence.Those vendors are not non-profit organisations which we should support for free. They’re making money out of it and security should be one of the costs included in product development process — simple as that.
If we as a security community don’t level up our standards, nothing is going to change because security costs money and almost no one wants to spend money on something he’s neither rewarded nor punished for. Especially in industry like IoT where the market is around personal usage and buyers are non-security-savvy folks, it’s easier to skimp on security.The recent IoT DDOS attacks brought attention to IoT security so maybe it’s a waking call for action? IoT puts Internet security in danger as much as it exposes safety and privacy of users.Don’t get me wrong, I love concept of smart devices and surely in future I’ll be using them myself, because all that stuff around intelligent house etc is amazing.For now I’m not going to install any of these in my home because I’m not feeling well with my privacy and security being exposed. But I’m the lucky one, I know this stuff. What about less aware masses?
Simply saying — IoT vendors won’t build security into their products if they don’t have to, and only we can enforce it on them.I believe the only way to change it, is to make it clear for IoT industry that we’re looking at them and while InfoSec practice won’t generate revenue, lack of it will impact their PR and generate churn. This went way too far, we can keep pondering and whining on Forbes or level up our standards and make shit happen.
We’re the heroes of a technology world so let’s not forget about the power we have and the impact we can make if we take action. IoT world already has some heroes who’re fighting the battle, researching the security landscape of smart devices and spreading the awareness so don’t be afraid of being alone. Inspiration is there, only work is pending :)