Low-Impact Hacks Need to be Addressed Too

The Jeep hack showed that high-impact hacking poses a serious risk to the general public, but Valasek, one of the two hackers, feels that low-impact security cannot be overlooked. “Not every IoT vulnerability is going to be high impact,” he said at a Security of Things forum held in September. Yet, he feels that research into all possible threats needs to continue. “You have to judge how technology that might be vulnerable today will be used in the future.” Yes, a Jeep that is hacked is a serious problem, but what about a Furby? Michael Coppola, a Northwestern University graduate student, recent reverse engineered a Furby, the child’s toy of the 1990s that contains sensors that allow it to interact with the environment. The more modern Furby is equipped with connected technology, so it can interact with a mobile app. As part of a research study, Coppola reverse engineered a Furby. Throughout the project, Coppola discovered vulnerabilities in the communication between the Furby and other Furby toys as well as the toy’s mobile app. Such hacks are known in the industry as “low-impact” hacks, and they are tempting to overlook. Yet, if we are going to be serious about security, these have value just as much as the high-impact Jeep hack. What happens when another less innocent connected device hits the market using the same chip as the Furby? Now we have proven it is vulnerable. Security must be addressed. Valasek makes a strong point. While it may not seem like a big deal if your fitness tracker can be hacked, which at worst is an inconvenience if your data is changed, but what happens when that fitness tracker becomes your personal banking devices as well in the future? Suddenly that vulnerability contains becomes more personal. Or, what happens when employers of the future start making decisions based on the health of applicants, and access your tracker’s information to do so? Now you have a problem if someone can hack the data. Moving forward, developers are going to have to address all types of threats, the big ones as well as the minor ones. It’s an overwhelming task, but it’s one that’s going to have to be addressed if we are going to fully benefit from the Internet of Things. Today’s low-impact vulnerability in a connected device can quickly turn into tomorrow’s high-impact problem.

A “Ticking Time Bomb”?

Back in May, Deepak Taneja, former CTO of RSA, attended the TIE Startup Con, sitting on a panel. IBM’s Andy Thurai asked him about his feelings about the Internet of Things security issues, and he admitted that it was a “time bomb ready to explode.” According to Taneja, technology is advancing so fast that enterprise can’t keep up with security protocols. “Organizations aren’t spending that much on security. It’s increasing, but not enough and IoT only makes it worse,” he said. “So it is a time bomb.” Part of the problem, Taneja indicated, is the rise of innovation. “You can’t worry about security and privacy when your innovating,” he said. And that’s the reality of the situation. If we are going to see technology take the amazing leaps and bounds it’s capable of, we can’t hinder researchers based on security concerns.

So What’s the Answer?

So, if we can’t hinder innovation in light of security concerns, what can we do? I believe the answer is in using caution before bringing products to market. Allow innovators to create the next new and exciting pieces of technology, but use caution before putting them in the hands of the general public, ensuring that security measures are in place. Then, focus research into the realities of security. Continue pioneering programs and demonstrations like the Jeep hack that show and fix vulnerabilities. Then, we can benefit from connected devices with less security risk. If everything, from an innocent child’s toy to the vehicle driving down the road, is vulnerable, is the connected world going to be a safe one? I say that it can be, but it’s going to require careful development to ensure that people are in control of the connected things, not the other way around. There’s simply too many people out there willing to use technology for nefarious purposes for us to ignore this any longer. Image credit: By Mick from Northamptonshire, England [CC BY 2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons