March 27, 2017

IoT Security Comes to the Forefront

The Register posted a story of a Dishwasher with a directory traversal bug. The bug brings to light the dangers of companies unfamiliar with software injecting software into their products. Software is hard, even relatively simple software has thousands of places that something can go wrong. In most cases software bugs are an annoyance, they might make an app misbehave or cause a user to have a bad experience, but they are usually limited to the app in question. When connected to a network the damage that insecure software can do is magnified exponentially.

Over the years operating systems have embraced a secure-by-default architecture, applications run in protected spaces and cannot do harm to the underlying system without explicit user approval. IoT devices often run their own custom operating software, meant to run with little overhead to provide energy efficiency and speed on extremely constrained hardware. In the case of a dishwasher it looks like a web server was added to the stack, but not secured at all.

As more and more devices gain IoT functionality network security is going to become more and more important. Being able to segment trusted and untrusted devices will become as important on home networks as it is on corporate networks. Having precise control over the ports that devices can communicate on will go from a nice-to-have feature to a must-have feature. All of this added control makes network administration much more complex, far out of reach for most consumers, new ways of configuration will need to spring up and new user interfaces to deal with them. It’s an interesting time for sure.