After CES, Sophos considerations on security

Sophos on CES: A great time to be inventive, but innovation must not come at the price of security James Lyne, Global Head of Research, Sophos One of the main themes to come out of CES has been the advancement of the Connected Human. Whilst we can’t commute to work on a Hoverboard just yet, “Sent From My Fridge” emails are now a reality and we can expect to program our coffee machines to have an espresso waiting for us when we arrive home.

We are also witnessing the advancement of “omni-cognisant applications,” the ever present apps which can monitor our every move, and even keep track of how much milk babies are drinking.

As a plethora of start-up app companies compete for our attention and business and consumer boundaries for Internet of Things (IoT) technologies become harder to define, security on these kinds of devices is no longer a “nice to have,” but a must-have. We can no longer assume these systems are secure. In the not-too-distant future, such systems could yield attacks that have a very personal impact on each of us.

In 2014 we’ve seen more evidence that manufacturers of IoT devices have failed to implement basic security standards, so any attack on them is likely to have nasty real world impact. As well as manufacturers taking responsibility for properly securing IoT devices, the security industry also needs to evolve to deal with them. With the already poor security controls of these devices it may be surprising to some that we have not seen more meaningful compromises in 2014. While IoT device flaws are easily exploited and have been relatively widely published so far few of them have translated in to the financial interests of most cyber criminals. However, that is not to say that this will not blindside us and suddenly occur given the rapid evolution of the technology. What’s more, not all attackers are financially motivated and each of these devices is creating a greater bridge from the digital world to the physical.

I’ve personally hacked wireless routers with web attacks such as command injection, CCTV cameras that don’t bother implementing account lockout, and wireless plugs that don’t bother with usernames or passwords and instead explicitly trust the local network.
Security conferences have been filled with demonstrations of these issues but as yet it has not translated into widespread interest from cybercriminals. However, we can expect to see more serious examples outside the proof-of-concept playpen of security researchers soon. Without better security, these devices could be a very real new vector for attack.

It is key that the security industry evolves to deal with these devices, that vendors of such applications quickly recognise the importance of security (just as Microsoft once had to), and that consumers continue to grow their awareness of the issue so that security becomes a commercial requirement, not an afterthought or nag from security pros.