The comparison between IoT security and climate change is getting better every single day, and I am not sure that this is good news. A few minutes ago, a tweet on climate change got my attention:
This is not the new normal, just a pit stop on the way to decades and decades of deteriorating conditions.
Nothing that I didn’t know, but a nice way to remind us that talking about the “new normal” is completely wrong: Things will become much worse before they get any better. And the more we wait to act, the more painful the impact of changing climate will be.
As a citizen of a developed country and most likely a member of the world’s 1% richest, I am not doing much to curb our energy consumption. I proudly bike to work, I try to isolate my house, but I still put my entire family on an intercontinental flight for the vacations. I feel the need to act on the climate, but I don’t seem to be able to decide what to do. I can blame my government (easy), Donald Trump (easier), I can request action, but in terms of actions, I am most likely not doing my share.
I am not a climate expert, and that may explain my questioning. Maybe that I should ask one of these experts: What should I do, myself, very practically? What are you doing yourself?
Beyond climate change, we have other, smaller threats to face, like IoT (in)security. And this time, I am an expert. Interestingly, IoT security shares some characteristics with climate change, including at least:
- It’s a time bomb, as the insecure devices that we deploy today will still be around tomorrow, and may come to haunt us in a few years.
- The problem is global; anyone’s vulnerable device can be used to attack somebody else’s IT service, just like any person’s CO2 contributes in the same way to global warming.
- Many citizens understand the risk (security is a top concern for IoT), but very few know what to do to lower that risk.
As an IoT security expert and a user of IoT devices, then I need to ask myself the question: Eric, what do you do about IoT security?
- I monitor my network. I have a device at home that lets me know when unknown devices come on my network or when strange things happen. I caught a few things with this, so I am happy about it.
- I use diversified passwords, and sometimes, 2FA (two-factor authentication). However, it took me years to move away from bad practices; I am still not using 2FA wherever I can, and I am still not forcing my family members to use 2FA. I even haven’t changed at least one password that appears on haveibeenpwned . Overall, I am not too happy about this.
- I have no clue about the security of the devices I use. This is bad, but I am just a customer here: my hacking skills are rusty, so I am not going to pentest all the devices that I buy and deploy at home. I have no other way to know, and I am not happy about it.
Since the beginning of 2018, I moved into a job working on the definition of security certification for IoT. When I started, my perspective was to maximize security vertically, making products more secure; that sounded natural for a chip vendor with a strong security background. After only a few months, my priority is now to maximize security horizontally, reaching as many products as possible; that is just as good for my company because our high-security chipsets are useless in a world full of default passwords and other trivially exploitable vulnerabilities.
We need security certification, we need it to be as simple as possible, we need it to be as mandatory as possible, and we need it as soon as possible. Simple? Because some good people trying to implement IoT security fail at it, and we must help them. Mandatory? Because some people think that IoT security is not their problem, and we must force them to act. Soon? Because as the clock is ticking, vulnerable devices are accumulating.
Finally, what can you even if you are not an expert? You can try to apply some good practices, and you can also ask your elected representatives to act on behalf of the community. And as you’re at it, also ask them to act on climate change.