Black Hat USA 2013 attendees listen to a keynote address by General Keith Alexander, director of the NSA, at Caesars Palace in Las Vegas, Nevada July 31, 2013.Credit: REUTERS/Steve Marcus
Every year the numbers and the types of devices security professionals find themselves having to secure from attacks keep growing, and there's certainly no sign of that letting up at Black Hat 2014 this year.
This week at the annual Las Vegas event, researchers Charlie Miller and Christopher Valasek in their talk A survey of remote automotive attack surfaces, will show how attackers often remotely - can leverage vulnerabilities to hack vehicles, and in some cases quite seriously. While Logan Lamb will present how home security systems are susceptible to shenanigans in his presentation, Home Insecurity: No Alarms, False Alarms and SigInt.
And researchers Don Bailey and Zach Lanier will be hold a roundtable on security and Embedding the Modern World, Where Do We Go From Here. The panel will examine how embedded computers, smart watches, cameras, industrial control systems, and other devices will impact security in the years ahead.
The good news is that the security industry is well familiar with the means to secure the IoT and embedded devices, such as identity management and secure software development. The bad news? We've yet to broadly master either.
Don Bailey, CEO at Lab Mouse Security contends that the management of identities and associated user and device permissions will be critical when it comes to bringing trust to the IoT. "The number one issue is identity. We will have all of these unmanned devices that aren't going to be monitored by anybody," says Bailey.
"You will have these complex devices controlling your refrigerator, your car, or whatever else that you can imagine. But how do you know that the actions that are being taken on that device can be attributed back to a specific individual? How can you ensure that any action that's taken is an action initiated by the authorized user," he says.
And, because of the many moving parts, the security of IoT and embedded devices depends on an entire stack of trust when it comes to the interconnected networks, hardware, applications, operating systems, and protocols. "It requires a lot of participation from different organizations, which I don't think people fully understand how these complexities create a lot more opportunity for subversion than people realize," says Bailey.
For instance, the most common way Bailey infiltrates IoT systems is over the cellular network, largely because it is assumed that the security of the communication channel is assumed to be managed by the provider. "And each provider of software and hardware often presume their all secure, and no one has any real control over the security of the entire system," he says.
Sign up for Computerworld eNewsletters.