Now that the internet continues to grow, laptops and mobile phones are no longer the only way to access the web, and televisions, baby monitors, ovens and cars can be networked. Even more and more medical devices and other important devices are beginning to embed Internet functionality. Unfortunately, technological development also raises the question of security. At a recent black Hat convention and the Defcon security conference, technicians showed a lot of things networking devices being hacked. Although the safety of IoT has received a lot of attention, we still have to face a hard battle.
Lack of updates is the key
For IoT security, the biggest hurdle is deploying invalid or unreasonable security updates. Code is vulnerable at any time, and if security issues are carefully considered in the design and development process, there will be a noticeable reduction in related threats. Not only that, all software vendors must respond quickly to vulnerabilities and release patches in a timely fashion.
Learn from the past experience
If we look at current iOS and Android systems, we know the impact of patch fixes. These two systems have a lot of security resources, and they also have very good system organizations, and they can quickly provide patches if they find security issues. However, the timeliness of Android upgrades does not seem to be good enough compared to Apple. Apple can send security patches directly to users via iOS updates, but Android often has a variety of delays due to the problems of device manufacturers and operators, many of which take months or even years to update. Currently, fewer than 18% of Android devices run the latest version, and 82% do not complete security updates in a timely fashion.
IoT parties are thinking for themselves, so that the security patch "very hurt"
Can a patch pack solve this problem if you've recently purchased a security flaw in the Internet oven, fridge or baby monitor? Let us first look at what the parties involved in the Internet of things are thinking about.
Manufacturer
sell products; see Internet connections as a function, not a particular area to dabble in; focus on the public perception of products and drive sales.
Consumers
The equipment can meet the main needs; Internet connection is a good function or a minor function; Most people don't want to bother with "fixing the equipment".
Criminal organizations
control equipment, the target network into a "zombie network" for distributed attacks, "hide themselves", not found, as far as possible without affecting equipment work, so that "victims" will not "repair" equipment, and will not eradicate malicious software.
If you evaluate the above factors, you will find that at the manufacturer end, patching the device is not a high priority. Criminal organizations are looking for holes in a series of outdated devices that are smart enough to deploy malware without affecting device performance. This means that consumers are unaware that the device has been deployed with malware, and that the vulnerability will hardly affect the consumer's perception of the device or encourage the manufacturer to proactively focus on the security of the device.
There are many victims of security vulnerabilities.
Manufacturers may not be in a hurry to resolve equipment deficiencies, but that does not mean that the damage is not serious.
Consumers will lose their privacy, data will be monitored, and even sold to others. With the expansion of the internet of things, these data will involve more privacy, such as health data, geographic location, indoor video, children, etc.
Network applications across the Internet are at great risk. Connected devices are vulnerable to attack, and they are not only stolen, they can even be connected to a malicious "zombie network." The stolen device sends spam, participates in blocking service attacks, and even steals user authentication information on the network.
Effective deployment of patches is a big problem
Hackers are very cautious, but vulnerabilities are found and users are asked to patch them. But what about this?
Device manufacturers usually "rush" to release a patch package if they encounter this situation, but after that? How are these patches sent to the device? Will consumers need to reboot their ovens, cars, or pacemakers when the updates are complete? Do these patches apply to next-generation products? Unfortunately, these are the challenges we face today, and even with a patch package, we can't deploy to the device in a timely and efficient manner.
How can we do better?
Consumers need to change the "motivational model" to allow manufacturers to quickly fix vulnerabilities. To achieve this, we need to increase the disclosure and publicity of security threats, as well as research data on the security vulnerabilities of the Internet of things. Hackers who often get online from things must be held accountable for their actions and severely punished. There is also a need to understand positive, positive security methods to help build more stable and secure things networking equipment.
The device manufacturer must be prepared for possible security vulnerabilities in the product. Safety issues should be taken into account in the design and manufacturing phases to avoid obvious security vulnerabilities. In addition, a workable "patch mode" must be established to install the necessary security patches at least once each upgrade is updated.
The Internet of things will soon "encapsulate" our lives, and in the past few decades, if we have learned some lessons and experiences from the Web and computer security, it is necessary to apply security initiatives to the IoT planning. We cannot plan for every vulnerability and threat, but we must devise a way to quickly deploy code patches, otherwise the Internet will become a botnet.
(Responsible editor: Mengyishan)