Two drastically different paradigms are colliding together when it comes to the Internet of Things, and it doesn’t bode well for our security, claims security specialist Bruce Schneier.
Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with “catastrophic” consequences.
“As we move to the Internet of Things, where things are less patchable and less high-end, we’re going to have problem,” said Schneier, addressing a keynote audience at InfoSec 2016 in London.
“Right now, how you patch your home router is to throw it away and buy a new one. That is the patch path. And a lot of our systems, like a phone, are patched all the time, but a lot of the security comes from the fact we get a new one every 18 months. We get a new laptop every two years. That allows us to get better. But you buy a new refrigerator every 15 years. You buy a new thermostat, what, approximately never? That’s going to be a big problem,” he explained.
“We’re not going to be able to live in a world where to update your defibrillator you’ll have to open up your body and get a new one – and that’s going to be bad,” he said.
Moreover, as the Internet of Things scales up to include power plants, communities, cities, and governments, the risk will increase.
“There’s much more of a worry for catastrophic risk. Our systems are getting so big that we can’t afford a single failure. And that’s going to happen soon,” said Schneier, illustrating how we’re reaching a security tipping point.
“There are two basic paradigms of security. There is paradigm A, which is secure it properly the first time. This comes from the world of dangerous physical things. Automobiles, planes, medical devices, buildings. This is security of design. This is certifications. This is testing. This is licensing. This is get it right the first time the first time because getting it wrong would be a disaster.
“Then there’s paradigm B, which is making sure your security is agile. This comes from the fast moving and heretofore largely benign world of software. Rapid prototyping, rapid updates, recoverability, mitigation, adaptability. Putting it out there and fixing it on the fly. These two worlds are colliding and it is unclear how we can do both. We’re starting to see the collision.”
“The process doesn’t allow for updating. The process was get it right the first time. I don’t have an answer,” he said.
Because of all of this, Schneier confidently predicted that we will see increased government intervention within the Internet of Things and cybersecurity space.
“We’re going to see greater fear rhetoric, because this stuff is actually scary. We’re going to see more rhetoric of fear,” he said.
“I think that more government involvement in cybersecurity is inevitable simply because the systems are more real. We’re going to see more cyberwar rhetoric, more cyberterrorism rhetoric, more calls for surveillance, more calls for use control, more “trust me I’m the Government”.
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
View Comments
Not quite. If there's a way for a hacker to access a device, there's a way to update the device. After that it's down to can you update it without interrupting service. But that's just a technical design exercise and cost/benefit calculation. Also, why do I want my pacemaker's workings to be remotely accessable? If they are, jail the company execs that thought it'd be cool. Read only monitoring feed, sure. Local NFC updates, maybe. Internet access to my pacemaker - are you insane?