Builders of consumer appliances over the years haven't devoted a lot of time and energy to matters of security. This made sense when refrigerators, home thermostats, and light bulbs didn't share data or tie into a global network of apps and devices.
Along comes the Internet of Things (IoT), and suddenly security matters. The IoT consisted of 20 billion devices in 2013 and will have 32 billion by 2020, according to the research firm IDC. The boom in IoT-enabled gadgets and sensors is a boon for hackers, whose device-focused attacks are starting to make headlines.
In January, the security provider Proofpoint announced it had uncovered an IoT-based cyberattack in which bursts of spam email were sent three times a day. What made the attack unique was that 25% of the volume was sent by compromised consumer devices such as home routers, televisions, and even a refrigerator.
And in March, the security researcher Nitesh Dhanjani took an in-depth look at the potential security threats facing owners of the IoT-connected Tesla electric car.
[Microsoft wants to be a player in Ithe oT. Here's what you should know about its cloud-based management service. Microsoft Azure Intelligent Systems: 4 Facts.]
The Proofpoint-uncovered phishing and spam attack involving household "thingbots" may be the first of many wakeup calls for IoT developers and manufacturers, Scott Morrison, senior vice president and distinguished engineer at CA Technologies, said in a phone interview with InformationWeek. "Hackers are always looking for yet another place to launch huge outflows of spam email messages. And if you can do it with refrigerators, who would've thought of that before? So it was a very clever attack against an Internet of Things device."
Morrison knows a great deal about application programming interfaces (APIs). A year ago, CA Technologies acquired Layer 7 Technologies, where Morrison was chief technical officer.
"One of the reasons CA bought Layer 7 was to gain Layer 7's expertise in API security management," he said. "APIs -- another of those buzzwords that are out there -- are the technology we're using to tie together applications and allow them to share information."
Two consumer-friendly features -- low cost and simplicity -- may present a problem in the quest for a bulletproof Internet of Things. Embedding connected technology in low-margin consumer gadget tends to be a formula for creating a device with potential vulnerabilities, Morrison said. "You're building Internet [connectivity] more as a feature of a regular consumer device, rather than an end to itself. And that tends to take the emphasis off good, solid security practices that we put in when building a website or something."
The race to push connected devices out the door isn't helping, either. "The big problem we're seeing these days is, in so many cases, people are rushing to get products out, and they're not putting the time and effort into really securing these devices up front," Morrison said. "It's not like we don't know how to do it; it's just that we're not doing it."
The recent uproar over the Heartbleed security bug in the open-source OpenSSL cryptography library may help shine a spotlight on IoT security. But more work is needed, according to Morrison.
"What's interesting about Heartbleed is that we've been hearing a lot about large websites where people are quickly patching the code and sending out notices [saying], 'We're now patched and compliant,'" he said. "But we haven't been hearing a lot about some of the embedded devices that could potentially be affected. Of course, OpenSSL is widely deployed across all sorts of different devices -- everything from wireless routers and administration consoles to printers and things like that."
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls (free registration required).