Oh, the things that we didn’t know enough to worry about five years ago: Cars that can be remotely “bricked”via computer; home automation controllers that can be compromised to distribute spam; “smart”light bulbs that can be hacked to reveal Wi-Fi passwords.
Now that the Internet of Things (IoT) is upon us, these things have all made the headlines lately. But I’m not here to say that the IoT is a terrible idea and we all need to reject it before it destroys our last vestiges of security and privacy. My take is that what is going on with the IoT is predictable, preventable and fixable. I say this because when it comes to rolling out new technologies, history has a way of repeating itself.
Think about it: Every time a new and cool technology is released, the early adopters find out within a month or two that it has some gaping security hole.
Why? Is this pattern really inevitable? My colleague Gary McGraw wrote in 2006 about “The Trinity of Trouble”—connectivity, extensibility and complexity — that underlies the introduction of security holes in new technology products. Those factors certainly contribute to the problem, but I see things a bit differently. I think of the root causes as naïveté, ignorance and laziness, or “Nail”for short. Here’s why.
When diving into new technologies like connected refrigerators and thermostats, product developers tend to be naive about threats, ignorant of security controls and/or too lazy to fully learn and hence implement things the right way the first time.
Naïveté.Product developers tend to naively underestimate threats, particularly if they are new to them. They don’t appreciate the lengths to which adversaries will go in researching their new products for possible vulnerabilities and developing tailor-made attacks against those vulnerabilities. Inevitably, they are surprised when vulnerabilities and attacks are disclosed. Caught off guard, they often rush a solution out the door that solves nothing and possibly even makes things worse.
Ignorance. Being naive about the threats their products will face, developers are naturally ignorant about the security controls that they can and should be implementing in their products. Things like end-to-end link encryption, strong mutual authentication, threat modeling and code reviews are often simply ignored until it’s too late.
Laziness. All right, I know this sounds harsh, but when developers are aware of security controls and still don’t implement them, my perspective from the outside is that they’re just too lazy to do things right the first time.
The three elements of Nail are all quite understandable, though I can’t quite forgive them. They are understandable because product development is fiercely competitive, with companies under intense pressure for their new technologies to be first in the market. The thinking seems to be that once the new product has a strong foothold in the market, they will be able to go back and bolster security. The unforgivable part is that tomorrow never comes — or only comes when some researcher publishes a paper exposing a gaping security hole for all the world to see.
So how do we eradicate Nail? It’s a tall order, and I’m not convinced we can do it completely.
After all, you would expect naïveté to dissipate in the face of countless headlines about other products’ security fiascoes. I haven’t noticed that happening. Naïveté and a bit of misplaced hubris are a dangerous combination.
Ignorance can be overcome, and there are many security guys like me who’d gladly help software developers learn about the security controls they can deploy with their products. That, however, requires the developers to actually attend some training and then put it into practice.
As for laziness — well, there we’re up against a very formidable foe, human nature.
Despite that assessment, I’m an optimist. I’m convinced that if you’ve assembled the right staff, armed them with knowledge and inculcated a culture of putting quality and security first, things will change — especially after my recent encounter with a top-notch security organization. Which of you product developers wants to be first?
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.