Thursday 12 March 2015

Internet of Things - Safety Last?

The UK Home Office have warned about the risks of 'smart devices'.   But the Internet of Things (IoT) is the big news in technology today, if you discount the gold Apple Smartwatch that is....  Once again, security and safety are at risk of lagging the market. But that's not entirely the fault of the smart meter, light switch or thermostat control manufacturers.

All of these devices work on a network technology that is fundamentally insecure. Almost ALL of the security technology we have today is trying to deal with the issue that internet protocols weren't designed with security in mind and now we're lumbered with them.

So in your house you have a wonderful wireless network that is secured (I hope) with WPA2 or better. If you know the password, you get on the network. Your IoT device has a way to authenticate to that network. And it starts working. Great! Secure network = secure device. Right?

Wrong. Unfortunately, a secure wireless network is not sufficient, and if you've chosen a poor password, it's not a secure wireless network anyway. 

The IoT device is almost certainly small, has low power consumption, and a low powered minimalist capability. It's designed to be low cost, and you don't do that by sticking a Windows server inside it. So it can't do much except what its basic function (why you bought it...) requires. You have to consider the device insecure.

Does this matter? Well probably not. Most 'things' won't have an impact. But some will. A thermostat could turn on your boiler and heating - wasting fuel. If your security system is connected up then could that be overridden. It all depends on what the device is and what it's supposed to do.

When you choose a smart device, whatever it does, you should check for some basic things. Does it have a password to protect its configuration, does it support WPA wireless networking, does it have to talk to something on the internet for it to work. But more importantly, it's a good time to check your housekeeping. Have you made sure your broadband router is properly configured, your wireless network, updated your PC for patches, implemented decent passwords.

The Internet of Things in your home adds risk, and unfortunately, the Things themselves probably won't protect you against that risk. Don't Panic. Make sure you're doing things right in the house in general and you should be ok.

Probably.


Tuesday 3 March 2015

Where to start?

Hey ho, another blog, another blogger, another opinion.    Does my opinion matter? That's up to you. 

My job is to help companies secure themselves against the bad guys. 

My concern is that the industry is made up of a lot of good and bad, and that unfortunately the bad is often snake-oil - products and services that do not end up doing what the customer needs.

My objective? To try and expose some of these issues and give people food for thought. I don't have the answers - if I did I'd be making money out of them - but I'm always looking.

What will I look at? Everything - security threats, technology, services, the law, the consumer, the company, the industry, outsourcing, finance, government, free-speech, privacy, malware, information, governance, audit, assurance, compliance. And more. 

Because every day there's another piece of the puzzle comes to light, and oftentimes, that piece is changing the shape of the puzzle, not just filling in a blank. It's a messy messy world out there...

Hope you find something of value to you deep in the prose.

Cheers

Sceptical