IoT and security

I’m reading this article [romanian] about the need to secure IoT solutions. Vali’s concern is valid, and even if he’s not a specialist, or perhaps because he’s not a specialist is what makes his opinion relevant. However, I disagree. The IoT solutions need not be secured.

IoT solutions need to be built on secure grounds from the start. I am amazed about the number of breaches in IoT systems – I’m talking about those that we know about, and I’m talking about those that we don’t know about, which are the scariest. The ability to control one’s house, or detect if there’s someone on the premises, is scary. The problem?

The new wave of startups that do bold things when it comes to IoT. The mentality of a startup is to build the MVP – The Minimum Viable Product, and then roll with it. Yes, they have a solution fast, and they get it to work swell with three or four devices – not so much when you think about how many devices are out there to support. And there’s no standard. But their point is to create that MVP and sell it to an investor, who will pick it up and do the brunt of the work.

However, not all succeed, and they start selling it to consumers, and selling something to consumers is a whole different ball game. Youngsters hunting for fast bucks will decide that the MVP works on the consumers as well – and the faults of their systems are not obvious to the consumers because they are hard to prove by laymen. What does your accountant neighbor know about SSL? What do they know about certificates? About home system security? Nothing. So you can sell to consumers MVPs just because they are flashy – and people buy it because they like cool stuff.

Yes, that’s why IoT solutions must be a security solution first and foremost. MVPs should be built on secure grounds, but security is a boring topic and young guns prefer not to think about it. It’s easier not to. It’s easier to think that it’s just a detail.

Disclaimer: I work for an IoT solution, and learned these things the easy way: by building directly on secure grounds.


IoT and security — 9 Comments

  1. Stiu ca nu sunt multi ca mine, dar, ai fi surprins sa stii cat de multe stiu „your accountant friends” despre tehnologie si despre securitate.

    Pana la urma confidentialitatea datelor este una dintre caracteristicile care ar trebui sa defineasca un contabil.

    Dar, deviez de la subiect, problema nu e atat la oamenii care produc solutii IoT nesecurizate cat la cei care le cumpara.

  2. I remember when a guy with medium programming knowledge (not some hacking wizz kid, mind you) hacked into several ”room control panels” at a series of prestigious hotels (I think you shared one of the articles too – the panels were based on an old version of Android and he entered the root interface through an Android based light switch!!!) and one of the owners gave a reply that sounded something like this: It’s ok, it’s not like someone can read your card! Of course it’s not, but someone can control the electrical panel of your room by using a generic USB hack and 5 minutes of online reading.

    • And to buy with ”security-first” in mind!

      I keep getting asked why I pay for an antivirus solution in 2016, when there are tons of free solutions (including a rather decent one in Windows 10) and when classical viruses are close to extinct. I don’t pay for ”virus protection”, I pay for ”ransomware protection”, because most of the time, security has nothing to do with your usual viruses, trojans, malware or 12 year old ”hackers”. If you care about the contents of your sistem (be it a classical one, a mobile one, a IoT device or anything that has an operating system, come to think of it), you’ll always ask yourself: what’s the worst that could happen and how can I prevent it?

Comentariul tău