Last week’s claim that connected fridges are sending spam was a timely warning about some of the risks with depending upon the Internet of Things, Cisco’s 2014 annual security report reminds us that threats lie both inside and outside our network.
The main theme of Cisco’s security report is ‘trust’ and trusting the systems which control everything from refrigerators to oil refineries is critical for machine to machine technologies (M2M) to succeed in the marketplace. Users have to be confident that their connected egg tray won’t be hijacking their smart home.
Overwhelming the consumer
Vendors have to take responsibility for maintaining that trust, “most of the responsiblity is going to rely on the manufacturers,” said Cisco’s Chief Security Officer, John Stewart, at a media briefing on the report earlier this week.
“The possibility of managing all the software and configurations of your home for just something as simple as patching is going to overwhelm most people.
“Vendors themselves are going to have to do a number of things, number one is they have to create very, very, very safe updating systems – and that’s not a trivial design – and then create a secure development and lifecycle elements into every major vendor that producing IP. We going to have to design security into the things.”
To date vendors have been poor in updating and patching smart devices. Fraser Howard, Principle Researcher of Sophos Labs, told Networked Globe last November that “there’s a long history of companies with mass market items which deal with things like important items like credentials where they have not had a single thought about security.”
In the corporate market, Cisco’s Stewart sees this changing “on the enterprise side what I’m starting to notice is a requirement on purchasing that ‘you will tell us your development lifecycle methodology’, ‘you will be held accountable.'”
The consumer side of the IoT is not so encouraging in Stewart’s opinion where he see governments having to enforce standards to ensure security.
Trusting smartphone apps
One of the biggest surprises with the report was how Android dominates the mobile malware world with 99% of all smartphone infections being on the Google platform and this could present problems for the Internet of Things industry in the near future.
However deeper examination shows most of the Android malware are games add ons downloaded from unofficial App stores. These are a concern but they aren’t widespread with exploits that target specific mobile devices being just 1.2 percent of all web malware encounters in 2013.
Again, this is a matter of trust. Android device users have to be downloading apps from stores that are trustworthy.
Maintaining trust in the Internet of Things
Like all systems, the Internet of Things depends upon the trust of its users – each device has to trust the integrity of the information its receiving from other devices and users have to trust their data is reliable and stored safely.
Cisco’s report flags this as the main challenge in the current IT and security landscape, seeing it as something beyond just misplaced confidence by users in the websites they visit or software they download.
“The trust problem goes beyond criminals exploiting vulnerabilities or preying on users through social engineering: it undermines confidence in both public and private organizations.
Today’s networks are facing two forms of trust erosion. One is a decline in customer confidence in the integrity of products. The other is mounting evidence that malicious actors are defeating trust mechanisms, thus calling into question the effectiveness of network and application assurance, authentication, and authorization architectures.
We’re in the early days of the internet of things being rolled out and mistakes will happen. The challenge for everybody in the industry is to ensure that users – at a domestic or enterprise level – are rewarded for putting their trust in devices that will run their homes, businesses and cities.