[LAC-TF] Schneier on “Really Bad” IoT Security: ‘It’s Going to Come Crashing Down’

Fernando Gont fgont at si6networks.com
Fri Apr 17 01:08:12 BRT 2015


FWIW, muchas de estas cosas fueron discutidas por estas listas, y se
ofrecieron puntos de vistas muy similares.


Schneier on “Really Bad” IoT Security: ‘It’s Going to Come Crashing Down’
    Tim Greene
    Network World
    April 13, 2015

Security expert Bruce Schneier has looked at and written about
difficulties the Internet of Things presents - such as the fact that the
"things" are by and large insecure and enable unwanted surveillance—and
concludes that it's a problem that's going to get worse before it gets

After a recent briefing with him at Resilient Systems headquarters in
Cambridge, Mass., where he is CTO, he answered a few questions about the
IoT and what corporate security executives ought to be doing about it
right now. Here's a transcript of the exchange.

* What should enterprises worry about when it comes to the Internet of


* What practical steps should a CSO/CISO take now, anticipating there
will be this IoT to deal with?

There's nothing you can do. This is very much like the computer field in
the ‘90s. No one's paying any attention to security, no one's doing
updates, no one knows anything - it's all really, really bad and it's
going to come crashing down.

And it will be worse because these are going to be low-margin devices,
low-cost devices. You update your computer and phone every three to five
years. You update your thermostat approximately never. Home routers
today. Do you know the way you patch your home router? You throw it away
and buy a new one. And that is going to be a freakin' disaster. This is
a tough one. It's like the computer ecosystem in the mid-90s but without
things like the profit margin. Companies will make "the thing" and they
just put it out there and then they make the next thing. There's nobody
left on staff to do updates, who knows how it works. It's not like your
OS. So when you look at the cars, the thermostats, the
refrigerators—it's going to be bad.

Home routers is where we're seeing it right now. Low cost, binary blobs,
no one knows how they work, there's no one to update them, lots of
vulnerabilities, and we're just stuck with it. Look at routers. When you
see where routers are you'll see where everyone else is going. It's not

* Is there a way to predict what the likely problems will be that the
CIO/CISO will face?

Yes. They will all happen, all the time. I can with 100% certainty
predict the problems. There will be vulnerabilities, they'll be
exploited by bad guys, and there will be no way to patch them.

* So then you're talking about rip-and-replace with hopefully better
secured replacements?

Hopefully but unlikely better.

* Do I really have to worry about thermostats if I'm a CISO?

It depends. We are starting to see these devices used as attack vectors.
The Target breach happened through a point-of-sale terminal. If your
thermostat's on your network, that could be the entry point. The problem
with the Internet of Things is attaching it to non-things. The Internet
of Things is attached to your IT infrastructure so it's going to be
pretty serious.

* Is it at all analogous to BYOD in terms of policy where if you're a
corporate security executive you just say we're not going to attach any
Internet of Things devices to our network?

You could, but that's like saying, "No, we're not going to let our
employees bring in their own lunch." You can say it but it won't stick.

* But they still say you can't bring in your own Wi-Fi router and that

Wi-Fi's different. They no longer say you can't bring in your own
tablet. People would just quit. I think you'll have a hard time
enforcing any of those rules because [IoT] is so powerful. If the CEO
says, "We're saving 20% of our energy bill," and the security guy says,
"But it's insecure," the CEO will say, "Shut up. We're saving 20% on our
energy bill. Go away." And it's going to be like that.

* Are you saying people pretty much haven't learned anything from the
earlier example of early insecure computers?

So it's a different industry. This industry has learned from that
industry. It's the embedded people. Some are trying. The problem is
going to be these are low margin, low cost, low quality devices. That's
what's going to kill us. When you're selling a $1,000 computer you've at
least got a support staff. When you're selling a 30-cent thermostat,
potentiometer, pressure-detecting sidewalk square, smart light bulb—no
one's going to be left to care [about security].

* Ultimately will there be better security in these devices?

Yes it will improve. We will solve this. This will not be the thing that
kills our society. But it's going to be a hard problem. And it's going
to be solved by weird stuff, like there'll be security within the
(network) because the endpoints are all crap.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the LACTF mailing list