Application developers have been chanting the mantra of baking in security for quite some time now, or at least they have in certain quarters. In others, the concept does not seem to have landed yet.
Allow me to explain.
“How hard can it be for manufacturers to figure out that the someone buying a baby monitor that is Wi-Fi enabled is not likely to be an infosec guru?”
Many security vendors have admitted in recent years that the signature-based approach to malware and virus detection has become increasingly unwieldy. The way forward is adaptive security that monitors behaviour, uses algorithms to spot patterns and coordinates data from a number of sources on which to base the former. This is a sea change in the way that security products are developed, and deployed. It also provides a basis for application developers to understand how security applications monitor applications, traffic and things like application programming interfaces and service exposure, for potentially suspicious or unwanted activity. The app developers then use this information to ensure that security is embedded within the applications, not bolted on afterwards.
However, this approach seems to have escaped developers in certain quarters with already disastrous results.
Not only have cars, internet-connected video cameras and home-connected devices demonstrated themselves to vulnerable to hacking, but worse still baby monitors and connected toys have too. Added to that is the hack of the giant VTech toy maker that saw not only personal details but potentially photos too of children and parents lost.
It appears that in the rush to be first to market, companies that are unaccustomed to connecting their products to a network, much less the Internet, are entirely unaware of the vulnerability of their products to attack. But the situation becomes even worse when one considers recent research by SEC Consulting that showed that even makers of the likes of routers and modems are taking short cuts by sharing the same hard-coded Secure Shell (SSH) host keys or HTTP Secure (HTTPS) server certificates. This also extended to IP cameras, VoIP phones and other embedded devices, the research said.
Now this is really unacceptable.
How hard can it be for manufacturers to figure out that the someone buying a baby monitor that is Wi-Fi enabled is not likely to be an infosec guru? Would it be a massive leap of logic to have such a manufacturer think, this product is going to send information on the most vulnerable of users from one device to another, maybe we should protect it to the highest, not just the most basic, standards?
Maybe a simple rule would suffice. How about: the more vulnerable the likely user of a network-connected — irrespective of whether that means Internet connected — device is, the higher the security standards required. And perhaps that should be extended to the more likely a network-connected device is to be deployed by people with basic technology skills, the better the security must be, without compromising ease of use.
There, that wasn’t that hard, was it?
Companies may have been dazzled by the potential to be first to market with the internet-enabled fridge, toaster or even car, but as that is rapidly turning into the potential to be first to disaster, companies need to think twice about security. If networked technology is not a core competency, then partnership is your friend.
As the large automakers have now learned, it is worth partnering with experts in the field rather than trying to do things internally. It is a lesson worth heading for anyone making products or services to be consumed by vulnerable individuals.
Subscribers 0
Fans 0
Followers 0
Followers