Can we try to get some IoT devices right?

Last week at RSA, various crypto stars, including Don Rivest, Adi Shamir, and Whitfield Diffie, have discussed security research trends in a panel, and the conclusion seems to be that quantum computing and AI are not the real priority with the Internet of Things. The priority is, or should be, to invest in better programming.

If the resources spent on interactive security, such as firewalls and antivirus and the like, were spent on improvements in the logical functioning of devices and a big improvement in quality of programming, we would get much better results
Whitfield Diffie

Close to 15 years ago, I was working on a static analyzer for Java ME, and still hoping that mobile devices could avoid the viruses and malware that were already plaguing PCs at that time. Well, that could have happened, but Symbian was already going bad. Smartphones nailed it: mobile would have malware.

The good thing with IoT is that there has been no suspense. Botnets have come very early in the game. The consequence is that everybody seems to assume today that connected devices will necessarily be ridden with bugs and vulnerabilities. That is a major factor pushing towards preventive security measures, because we now assume that there are problems everywhere.

The reason for my mobile optimism came from smart cards and Java Card. These things have been attacked, but malware has never been a problem. The reason is very simple: smart cards are very far from open. Only their provider can load software on them, and they make sure to protect this privilege.

The good news is that most connected devices are just as closed. New software can only (legally) come from their developers. And like smart cards, their software is often relatively simple, simple enough to deploy a few good security measures.

The bad news is that the current botnet epidemics is the consequence of blatant negligence in the development of connected devices (mostly because security is an externality). There will be bad devices.

In the end, we have three complementary approaches to addressing connected device security:

  • Fight negligence. Enforce regulation to make vendors liable for the security problems they cause through their negligence.
  • Deploy preventive measures. Deploy tools that detect attacks, mitigate them “live” as they happen, and learn about the attacks for the future.
  • Make devices better. Spend more on the design and development of devices to reduce security vulnerabilities and make devices harder to attack.

We will need all three, for sure, but the priorities are difficult to set. It’s easy to guess that my preference goes to making devices better, and I am quite happy to hear that Whitfield Diffie leans in the same direction.

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *