I once had a teacher who told me it had been years since he had enjoyed watching a movie. When I inquired as to why that was, he explained that because he had helped produce movies he couldn’t help but dissect every detail when watching one. Information security professionals have a similar plight when it comes to technology – we can’t help but peel back the layers and find the flaws in the devices we would prefer to just enjoy like everyone else. With the increase of Internet-connected devices in our lives, that statement has never been truer.
As we all continue to engage with the “Internet of Things” (IoT) it can be overwhelming to understand which of the dozen technologies involved in the function of our devices may contain security vulnerabilities. Mixing mobile applications, service providers, APIs, Wi-Fi, and embedded operating systems creates an eco-system ripe for abuse.
My 2014 RSA Conference presentation features an Internet-connected web camera that had numerous security issues ranging from hardcoded passwords, to insecure APIs, to questionable third-party service integrations. It may seem trivial to blame the vendor for their failure at securing their product but that’s a myopic view to a very large and complex situation. The reality for smaller businesses, of which are producing many of these Internet-enabled devices we all want, is that security expertise is rare to find as part of the staff.
The days of behemoth device manufacturers building all of our technology are quickly disappearing. Small businesses and crowd-funded projects are the new way that we are acquiring the latest gadget that our friends will envy. As this production shift occurs, so must the manner in which technology is evaluated for security.
For all of those entrepreneurs putting new technologies to market, it’s crucial that you reach out to one of the dozens of reputable security firms that can efficiently evaluate your product for egregious errors in security. For the information security professionals reading this, take a few minutes to share your knowledge with vendors when you notice they are missing the mark on best practices.
The sooner we can all unite around a better IoT security posture, the less likely we’ll see the FTC or other government agencies have to continue getting in the middle of product geniuses and the consumers who are salivating for their next great idea.