Struggling with the problem of insufficient IoT awareness, we have imposed on ourselves a yoke that is difficult to throw off. Especially troublesome from the perspective of the end consumer. This is because the curve of technological progress points to a challenging, changing environment in which new solutions are delivered every now and then. Fintech is developing, Proptech is developing, Industry 4.0 is developing, and in the midst of these changes stands a perplexed consumer trying to understand what the Internet of Things phenomenon is all about. And while I am not particularly opposed to adaptation by verification, I am saddened to note the continued disregard for security issues. By both buyers and makers.
It is possible that this is due to the potentially difficult subject matter. The available materials are usually written in specialized language that would require taking the time and demonstrating a willingness to understand, which, after all, there is no time for in this frenetic pace of life. On the other hand, being a devil's advocate, is it any wonder the consumer is so passive?
If I were buying a "smart" solution knowing about the existing list of potential threats, would I be willing to persuade myself that I made the right purchase? In anticipation of DDoS attacks, which can take various forms (ICMP flooding, amplification, jamming), would I still be willing to buy a "smart" device? How would I react to the existence of malware for IoT products (viruses, Trojans, ransomware, scareware) that could fool and force me to download dangerous software that threatens my security? Would I be as eager to buy knowing that my hardware could be easily cracked using rootkits, tampering with software or hardware, or generating incorrect certificates?
How can customers fearlessly buy a product that is potentially extremely easy to break and does not meet the basic security criteria publicized by OWASP? How many times have we witnessed physical modifications to smart products, either through environmental sabotage (ultrasonic sensor jamming, spoofing, cancellation) or physical disassembly of the product? How many more such stories do we need to hear?
Attacks on users are becoming increasingly devious and peculiar. Including both the bold and arrogant (identity fraud, abuse of privileges, unauthorized access to personal data), the devious and clever (phishing, spearphishing, reverse social engineering, impersonation, baiting), the accidental (natural disasters -- floods, fires, extreme conditions -- that expose access to the inside of a device) and the calculating (man in the middle, communication protocol hacking). And where in all this is the room for problems of a strictly technical nature (errors due to configuration, faulty updates, non-functioning servers, poor cryptography, insufficient authentication)? Where is the possibility of mistakes on the part of third-party companies supporting the "existence" of the product (I mean service providers, SaaS vendors, cloud administrators)?
Less than three paragraphs, a dozen examples of threats, and I haven't even managed to list all the problems (network reconnaissance? Unauthorized data collection? Information leaks? Session hijacking?). In the face of this barrage of information, how is the consumer supposed to find himself now? I don't believe there is anyone unrelated to the IT industry who, after hearing the above tirade, which would most likely have to be put in even simpler terms, would be willing to purchase any tool that connects to the network and transmits data about it to other products. After all, that would sound like absurd, ridiculous behavior. Self-destructive actions to one's own detriment. How could anyone in their right mind want to knowingly buy and connect such products in their environment?
Well, exactly - who?
Therein lies the peculiar paradox we are witnessing. On the one hand, consumers are inadequately informed and uninformed (allowing more and more simple interference in their lives), while on the other hand, through their ignorance, they buy more and more smart stuff.
"And what next?" - I might ask now.
The responsibility for this and future state of affairs depends at this point and in the main on us -- testers and developers. After all, if we don't start loudly discussing the essence of security testing and don't start introducing and applying smart solutions, we will continue in this madness without regard for the consequences.
It really doesn't take much effort to read and familiarize yourself with the available standards (ISO27001, NIST SP 800-53, OWASP, IETF RFC 7452, Cybersecurity Policy For IoT to name a few publicly available ones) and start incorporating them into your software development cycles. Threats can be reduced both with more conscious company policies (manufacturing conservatism, privacy-by-design, threat modeling), with responsible employees (support and monitoring of devices throughout the cycle, incident management, training and coaching) and with common sense product development (especially in areas such as authentication and authorization, for example).
I realize that by starting a topic on the wrong foot (e.g., cryptography), we ourselves can feel just as overwhelmed as consumers. Especially if in such a short period of time we have to familiarize ourselves with dozens of new concepts often ignored under normal production conditions.
How about starting much simpler? Maybe we should go back to the drawing table, asking ourselves four basic questions:
- What are we building?
- What can go wrong?
- What are we going to do about it?
- Have we done a good job so far?
Let's take this one daily to answer the questions we've posed -- so honestly and from the heart, and see if at this point we've already made mistakes that violate the security realm.
These are intended to be simple and trivial doubts, but I am convinced that in most cases they could start an interesting discussion directed precisely at the topic of security.
And while I realize that this difficult issue will not be fixed with one meeting or article, I would like to believe that it will generate circumstances to start looking more frequently and boldly towards the topic of threats.
Every step in this direction and every question properly posed that forces uncomfortable answers is, in my opinion, a move well made.