If I would have to speculate, I would guess that security in the internet of things will keep appearing in my blog continuously in the futureâ€¦
Looking at the last few weeks, there are different vulnerabilities and incidents which took place showing that the “things” connected to the Internet are more vulnerable than we would want them to be:
- Chrysler saw their Jeep being hacked (Hackers Remotely Kill a Jeep on the Highwayâ€”With Me in It). It seems that they knew of the vulnerability since 18 months according to ZDNet (Regulators left in dark over Chrysler security flaw for 18 months)
- A sniper rifle was compromised recently (Hackers Can Disable a Sniper Rifleâ€”Or Change Its Target).
- There are discussions how vulnerable smart cities are (Most Vulnerable Smart Cities to Cyber Attack on Internet of Things (IoT))
- At Defcon a presentation is announced on How to Hack a Tesla Model S. Typically such presentations at Defcon turn out to deliver what they promise.
- â€¦and probably much more
What can we learn? Well, basically we learn that
We learn from history that we do not learn from history – Georg Wilhelm Friedrich Hegel
It seems that we make the same mistakes again that we made initially when the classical software (without the “things”) was developed. Companies seem to be unable to handle vulnerabilities and have no clue how to fix them â€“ they rather deny them. Components are not designed with security in mind, engineering does not include the security aspects etc. It is not really new that security has to be built in from the ground up and it is not really new that security is something for the professionals and not something for an engineer having great knowledge about cars or smart cities. This is not good enough, it needs real pros.
If companies follow the route which we have seen over time (and unfortunately in certain companies seems to get a revival) to add security to somebody’s job description or hand security over to a good manager who has no experience in the security field, they will fail. Interestingly I have never seen a company appointing their CSO to be head of legal or operations or finance or engineering but I have seen a lot of companies doing it the other way around. Is somebody able to explain me, why?
Dear vendors, this will not work and will ultimately put life at risk! Take your responsibility and hire professionals and if you cannot afford them, hire consultants helping you with security â€“ it needs a special mindset and a lot of experience.
But this will unfortunately not solve the problem as the past shows. We asked for more security in the software development process as we do now in the hardware development process but it did not really help.
Maybe we need product liability to make things better. Maybe we need new technology on the network level to protect the devices connected to the Internet. At least we need the creative security people to protect the things on the Net and ultimately society.