"Turn It Off", Computer Security, Internet of Things, science and technology

The Internet of Insecure Things

7 Comments

At the risk of restating the obvious, the Internet of Things is grievously insecure (and also poorly thought out in general).

I’ve blogged about this for several years (e.g., here, here, here, here, here, here, here, here, here, here, here, here, here, here, here, to name fifteen times).  (And here, here, here, here, here, here, here, here, here, here, here, here, here, here, here, here, to name fifteen more.)

But I wanted to bookmark a recent short op-ed piece from IEEE Spectrum, “6 Reasons Why IoT Security Is Terrible[2].   The heart of the piece is actually from a blog post from two years ago by Josh Corman,[1].

The main point is that “The Internet of Things bears little resemblance to traditional IT systems—and that makes it harder to protect”.  These difference are:

  • Consequences
  • Adversaries
  • Composition
  • Economics
  • Context and Environment.
  • Timescales

I have made the points myself repeatedly.

IoT devices are tied to real world physical systems, where errors or attacks are far more consequential than the loss of data.  IoT devices operated in real life contexts, such as a home or car, where there are no sysadmins, and how could there be a sysadmin for every tiny chip?  The ‘composition’ item refers to the fact that IoT systems, like most software, is composed of code from multiple sources, any one of which might be buggy or insecure.  And the last one notes that systems may be in use—and under attack—for decades, but IoT systems generally have little, if any, vendor support.  If anything is certain, it is that the longer a system is in use, the more likely it will have problems.

Anyway, this is all pretty obvious, and has been from the start.  But l wanted to have this note so I can refer to  it in the future when I need to say, “I’ve been saying this for years.”

  1. Josh Corman, 6 Differences in Internet of Things and Cyber Safety, in I am the cavalry. 2016. https://www.iamthecavalry.org/iotdifferences
  2. Stacey Higginbotham, 6 Reasons Why IoT Security Is Terrible, in IEEE Spectrum – Telcom. 2018. https://spectrum.ieee.org/telecom/security/6-reasons-why-iot-security-is-terrible