Schneier on “Really Bad” IoT Security: ‘It’s Going to Come Crashing Down’
Security expert Bruce Schneier has looked at and written about difficulties the Internet of Things presents – such as the fact that the "things" are by and large insecure and enable unwanted surveillance—and concludes that it’s a problem that’s going to get worse before it gets better.
After a recent briefing with him at Resilient Systems headquarters in Cambridge, Mass., where he is CTO, he answered a few questions about the IoT and what corporate security executives ought to be doing about it right now. Here’s a transcript of the exchange.
What should enterprises worry about when it comes to the Internet of things?
What practical steps should a CSO/CISO take now, anticipating there will be this IoT to deal with?
There’s nothing you can do. This is very much like the computer field in the 90s. No one’s paying any attention to security, no one’s doing updates, no one knows anything – it’s all really, really bad and it’s going to come crashing down.
And it will be worse because these are going to be low-margin devices, low-cost devices. You update your computer and phone every three to five years. You update your thermostat approximately never. Home routers today. Do you know the way you patch your home router? You throw it away and buy a new one. And that is going to be a freakin’ disaster. This is a tough one. It’s like the computer ecosystem in the mid-90s but without things like the profit margin. Companies will make "the thing" and they just put it out there and then they make the next thing. There’s nobody left on staff to do updates, who knows how it works. It’s not like your OS. So when you look at the cars, the thermostats, the refrigerators—it’s going to be bad.
Home routers is where we’re seeing it right now. Low cost, binary blobs, no one knows how they work, there’s no one to update them, lots of vulnerabilities, and we’re just stuck with it. Look at routers. When you see where routers are you’ll see where everyone else is going. It’s not good.
Is there a way to predict what the likely problems will be that the CIO/CISO will face?
Yes. They will all happen, all the time. I can with 100% certainty predict the problems. There will be vulnerabilities, they’ll be exploited by bad guys, and there will be no way to patch them.
So then you’re talking about rip-and-replace with hopefully better secured replacements?
Hopefully but unlikely better.
Do I really have to worry about thermostats if I’m a CISO?
It depends. We are starting to see these devices used as attack vectors. The Target breach happened through a point-of-sale terminal. If your thermostat’s on your network, that could be the entry point. The problem with the Internet of Things is attaching it to non-things. The Internet of Things is attached to your IT infrastructure so it’s going to be pretty serious.
Is it at all analogous to BYOD in terms of policy where if you’re a corporate security executive you just say we’re not going to attach any Internet of Things devices to our network?
You could, but that’s like saying, "No, we’re not going to let our employees bring in their own lunch." You can say it but it won’t stick.
But they still say you can’t bring in your own Wi-Fi router and that sticks.
Wi-Fi’s different. They no longer say you can’t bring in your own tablet. People would just quit. I think you’ll have a hard time enforcing any of those rules because [IoT] is so powerful. If the CEO says, "We’re saving 20% of our energy bill," and the security guy says, "But it’s insecure," the CEO will say, "Shut up. We’re saving 20% on our energy bill. Go away." And it’s going to be like that.
Are you saying people pretty much haven’t learned anything from the earlier example of early insecure computers?
So it’s a different industry. This industry has learned from that industry. It’s the embedded people. Some are trying. The problem is going to be these are low margin, low cost, low quality devices. That’s what’s going to kill us. When you’re selling a $1,000 computer you’ve at least got a support staff. When you’re selling a 30-cent thermostat, potentiometer, pressure-detecting sidewalk square, smart light bulb—no one’s going to be left to care [about security].
Ultimately will there be better security in these devices?
Yes it will improve. We will solve this. This will not be the thing that kills our society. But it’s going to be a hard problem. And it’s going to be solved by weird stuff, like there’ll be security within the (network) because the endpoints are all crap.