Every “thing” in the IoT is hackable – so now what the hell do we do?

Credit: Chesky/Shutterstock

Everything that can be connected can be hacked. Some things more than others. People who make kettles, for instance, make kettles. They don’t think about kettle security issues, even when their product team says the kettle needs to be ‘connected’. So they do whatever is needed to make the kettle connectable.

What this means is that the most vulnerable part of our world is the one closest to our hearts: our homes.

Of course our homes are not the only thing that can be hacked. It is quickly becoming apparent that all the new stuff that we are so excited about – everything that can come under the umbrella of the IoT – can be hacked, and easily.

It is a nightmare, and yet we seem to continue to rush headlong into the future, in the knowledge that it is not safe. Would you allow a family member to do something so incredibly reckless?

Even at a personal level, security is compromised. We all suffer from password fatigue. We – well, most of us – either have one password for everything, or a password vault of some kind, but we are human and we make mistakes. And anyway, if Yahoo can lose 500 million account details, what hope have we got of keeping safe? This is not helped by websites that vary in what they allow as passwords. Some (name deleted to protect the ridiculously antiquated) do not allow anything other than numbers or letters. So none of your secure {@!** is allowed.

What are we doing about it?

Clearly the security industry is on the case, but the fundamental flaw is that it will always be a case of catch up. The bad guys will always be one step ahead.

You might think that these biometric ideas – finger prints, eye scans, selfies – that are being tried are the solution.

You would be wrong.

As Robert Capps, VP of Business Development at NuData Security, points out, “Loss of fingerprint data is not just a theoretical concern, several large breaches over the last couple of years have exposed fingerprint data en-masse.”

So what about the selfie, you might wonder?

Capps is not bullish about that either. “While ‘liveness’ verification has become a standard in modern physical biometric verification systems, they are not without flaws and allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials.”

Not good news, although clearly better than nothing, or a simple (or complicated) password.

According to Capps, though, whichever of these things a bank (for instance) chooses, it is just the “guard at the door”. What you need to add is behavioral biometrics, which is pretty much what it says it is: a real-time way of figuring out whether the behavior is normal human behavior or whether you have a perp on your hands (see this interview with Ryan Wilk).

So, although the security issues will remain a game of catch-up, it just might be that big data and real-time will come together to make our world secure enough to, at least, continue a cautious journey into the future.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.