You don’t realize it, but Symantec’s technology may dwell inside your ATM, your car, or your doctor’s MRI.
SAN FRANCISCO—Over the past few years, the phrase “Internet of Things” or IoT has turned up more and more in presentations and conversations at the RSA Conference.
Security for IoT devices is poor overall, and a hacker who takes over your connected teakettle or dollhouse can leverage that exploit to take control of your network.
But home devices are just one side of the equation.
Brian Witten, Symantec’s Senior Director for IoT, looks at the whole picture, from smart lightbulbs to connected factories.
Witten likes to challenge audiences with a simple exercise. He has each attendee write down a definition for IoT, including specific devices they’d include or exclude.
The wildly different answers make for a lively discussion. His own preferred definition is pretty simple.
An IoT device is anything that has some kind of smart controller and is connected to the Internet, excluding actual computers and smartphones.
That definition covers a lot of ground.
Symantec Inside?”One thing we’re doing,” explained Witten, “is helping companies build security into their devices. You don’t realize it, but Symantec technology is in ATMs, point-of-sale terminals, even the communication systems used by airports to communicate with planes.” He noted that over 1.5 billion connected devices rely on Symantec’s technology. “Whether you believe the total number of IoT devices is five billion or 15 billion,” he said, “that’s still quite a large fraction.”
Automobile companies are also turning to Symantec, hoping to avoid the embarrassment of having their cars very publicly hacked. “Every day we bet millions of lives on the safety of our vehicles,” noted Witten. While a fix is possible, we’re in what Witten called a window of insecurity.
There are plenty of cars that have the high-tech connections but don’t yet have any security. “They’ve got the bells and whistles, but not the armor,” said Witten.
Those are going to be on the road long after their successors have gained protection.
Attack PotentialMedical devices are life-or-death critical, and sadly open to attack. MRI machines, drug infusion pumps, and the like just weren’t designed with security in mind.
As with the car problem, even if new, secure versions get developed, they won’t be deployed until needed. Witten noted that the average MRI machine has a working life of eight years.
Witten described a possible multi-prong attack scenario that was downright scary. Picture a terror group whose hired hackers managed to devise an exploit affecting a whole generation of a particular type of car.
Disabling all such cars during rush hour could cause (in Witten’s estimate) 50,000 accidents. Now picture the hospitals shut down by a parallel attack.
It’s all too believable.
Security Seal”Security done well is transparent,” said Witten. “It’s an enabler, not an inhibitor.
That’s part of the reason you don’t know that our technology is in so many systems.
The problem is, you can’t tell a secure ATM from a compromised one by looking. Perhaps we need some kind of security seal of approval.”
When IoT device makers are confronted with the need for security, they react in different ways.
Some actively reject the idea of spending time and money on security.
Some try to tack on security as an afterthought.
And some, perhaps the worst, give an illusion of security. “They toss in one security component and call the system secure,” said Witten. “It’s like locking just one of the doors to secure your house.”
For proper security, the device makers need to embrace four cornerstone security principles.
They must protect the device’s communication channels, protect the device itself, and provide a path for updates in case security flaws come up.
Finally, they need security analytics built in, so they can detect the inevitable failures in the first three areas.
“But what about my home network, my connected doorbell, my child’s Internet-aware doll?” you may ask. “That’s the IoT I want protected!” In truth, Symantec is involved in plenty of small, consumer-side devices too. Witten hinted that Symantec will also offer a product to protect those devices built without effective security, but couldn’t say more this time. Will it be a hardware solution like the Bitdefender Box? An enhancement to Symantec Norton Security? When we find out, we’ll let you know.