Improving Security on the Internet of Things

August 13, 2014
233 Views

ImageMark Stanislav calls himself a “security evangelist.” Online Tech has previously provided him a virtual pulpit from which to preach and his barnstorming tour continued last week in Las Vegas, where he spoke at the recently concluded DEF CON 22 Hacker Conference.

ImageMark Stanislav calls himself a “security evangelist.” Online Tech has previously provided him a virtual pulpit from which to preach and his barnstorming tour continued last week in Las Vegas, where he spoke at the recently concluded DEF CON 22 Hacker Conference.

Stanislav and Duo Security colleague Zach Lanier presented “The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making it Right,” described as a dive into research, outcomes and recommendations regarding information security for the “Internet of Things,” or IoT.

IoT refers to the interconnection of computing devices – everything from heart monitor implants to remote home thermostats – that transfer data without human-to-human or human-to-computer interaction. Essentially, anything that can be assigned an IP address and given the ability to transfer data over a network is part of the IoT.

Last year, Stanislav co-hosted two sessions in a three-part Online Tech webinar series on encryption, participating in both the Encryption at the Software Level and Encryption at the Hardware and Storage Level presentations.

In Las Vegas, Stanislav and Lanier’s presentation was about the rapid – and sometimes haphazard – growth of the IoT and the security risks associated with it. ABI Research estimates 30 billion devices connected to IoT by 2020.

The presentation drew the interest of the folks at Dark Reading, who featured the duo’s new security resource, BuiltItSecure.ly, which was launched in February. After struggling with their approach to smaller technology vendors with bugs and trying to handle coordinated disclosure, Stanislav and Lanier decided to change the process and dialog that was occurring into one that is inclusive, friendly and researcher-centric.

The loose organization of security-minded vendors, partners and researchers is focusing on “improving information security for bootstapped/crowd-funded IoT products and platforms” that may be tempted to choose a quick launch and profits over security.

When launched at BSides San Francisco earlier this year, the mission of BuildItSecure.ly was defined as:

Provide the information, resources, guidance, and community necessary to help small commercial and independent developers, makers, and inventors of hyperconnected, pervasive computing devices make security-conscious design decisions. Additionally, incentivize independent security research and reporting/coordinated disclosure of vulnerabilities/flaws in those very same devices.

Five more researchers have joined the Duo Security colleagues to populate BuildItSecure.ly with links to presentations and technical guidance on web application security, mobile application security, cloud security, network security and industry standards.

“All the researchers basically are doing this — one, because they want to help some people; two, because they are getting research done and not being sued for it,” Stanislav told Dark Readings. “They already have opt-in from these vendors.

“We’re going to have researchers looking at pre-production hardware, doing assessments against them… and actually making the device better before they go to people’s hands rather than after.”

Vendors, researchers and content creators are encouraged to get involved with BuildItSecure.ly’s efforts to enhance IoT security.