Join us for Part 2 of our conversation with Kirsty Paine, Strategic Advisor for Technology and Innovation at Splunk as she takes us through the intricate world of IoT security standards. In this episode, Kirsty discusses the opportunities and threats of a hyperconnected world and shares her expertise on the importance of standards bodies in ensuring the safety of IoT devices. Hosted by Bret Jordan, Chief Security Strategist at Afero, this conversation is a must-listen for anyone interested in the future of connectivity and protecting our digital lives. Get ready for an enlightening and thought-provoking discussion with one of the leading voices in IoT and security!

Key Takeaways

  • The "Attack Surface" for nefarious actors is growing exponentially increasing the concerns that consumers are at serious risk.
  • The persistent use of "admin-admin" credentials weakens security and poses an easy to access threat vector.
  • Don’t wait to be hacked before you decide to take security seriously
  • Using best practices in developing standards and paying close attention to essential use cases is critical
  • The collaboration among the participants working on IoT standards at ETSI created a distinct and tangible sense of teamwork.

Some highlights from the conversation:

Bret Jordan: Across the board, there are multiple standards that can compete with each other. For instance, standards from various organizations that seem to address or satisfy only one aspect of a larger puzzle. This can be a problem for companies, who may struggle to understand which standards to prioritize and which standards to implement.

Kirsty Paine: It's safe to say that meeting standards and regulations is not something people enjoy, and they would rather meet one than twenty. This is where government involvement in standards can be beneficial, as they are not financially motivated but rather motivated by the needs of the citizens. When it comes to legislation, the goal is always to make it reasonable, achievable, and practical, without doing too much too quickly but rather doing enough to influence the market as needed. In the case of IoT, ETSI has been successful because everyone recognized the urgency of the problem. As of 2020, some people were still using admin-admin as device credentials, despite the potential for niche attacks and the need for side-channel resistance. The key is to recognize the problem and implement interventions that make sense.

Bret Jordan: The attack surface of connected devices that people bring into their homes is vast. By attack surface, we mean the entry points that a threat actor could exploit. It's like having a large home with many doors and windows on the ground level, providing burglars with more entry points to exploit. This is a concern for IoT devices, particularly when deployed in metropolitan areas and on a grid level. It's even more concerning when devices are shipped with admin-admin credentials, making them easier targets for attackers.

Kirsty Paine: You really are just leaving the front door open with admin-admin, right? For every device that you connect to your network that has this sort of weakness or vulnerability you are just opening up more points of entry. It is like you are just leaving the front door open for that attacker. The worst part is you don't always know about these issues. We often hear these horror stories of IT devices that have a working camera and mic in them, and no one knew because it was developed from a board that had them and they were never taken out before it was shipped. It is part of that rapid development life cycle. It is first to market, first mover advantage. This is what is incentivizing a lot of these companies. They're not doing it to be horrible. Many don't realize the problem with leaving that port open or not changing those hard-coded credentials.

Bret Jordan: I wonder if SBOM, the Software Bill of Materials, will help there? You mentioned cameras a couple of times. We hear these horrible horror stories of people compromising a person's camera in their house, stalking them, or learning about everything they do.

Kirsty Paine: The issue with baby cameras is that it can have a real impact on people's lives and can be genuinely scarring. It's a horrible story, and it highlights the importance of making sure that devices are secure. Similarly, when you have smartwatches designed for children that are intended to receive messages only from their parents, it's important to remember that children are people who develop trust in these connected devices. As they become familiar with the device, they may rely on it to provide accurate information and follow its instructions.

Bret Jordan: Another thing I've heard that I find interesting is when people always say, 'Oh, well, why me? No one's ever going to bother me. Why do I need to care about security? Why do I need to do these things? Because nobody knows me, and no one will come to attack me.' Do you have any thoughts on that?

Kirsty Paine: It's a realization that I often hear from victims of fraud, because you don't have to be a millionaire to be a target for fraud. It's kind of easy to forget that globally, in the UK, the US, and European countries, we are rich compared to basically most people in the world, and that makes you a target for extortion and fraud. Even if they're not trying to target you, they're just trying to target this device and use it for something.

Bret Jordan: For the listeners of this podcast, what you need to take away or what you need to understand from this discussion is that your smart light bulbs, your smart plugs, your smart door lock, doorbell, or cameras in your house - it does matter. The security of those devices does matter, not only for your safety and peace of mind, but if a threat actor can compromise those, they can do other things because now they have a footprint in your home, a digital footprint, and they can move what we call laterally through your home network and compromise other things that may be much more sensitive. If you're going to be buying smart and connected things, you really need to try to find devices that are more secure and have better support for vulnerability updates, management, and making sure that the devices are secure. What we've learned from Apple is the importance of having end-to-end encryption, especially for your private information, so that nobody in between can access it. When you don't have good end-to-end encryption or the encryption is using symmetric keys and those symmetric keys are stored in the cloud, that provides whoever has access to the cloud full access to everything that's going on.

Kirsty Paine: It's our job to make people aware of a credible threat and what they are facing. And so, at the moment, unfortunately, the state of IoT security, it's so bad that a lot of attackers can get in with admin-admin credentials.

Bret Jordan: Where do you see this going over 12 to 24 months?

Kirsty Paine: The number of IoT devices is only going to increase; it won't slow down, and we'll see more crossover between consumer and enterprise devices. I expect that within 24 months, we will start seeing some actual gains in the development of smart cities. I'm looking forward to seeing what will happen in the next 12 to 24 months. I hope that as things continue to grow and become more secure, we will see that legislation doesn't slow down any innovation, which would be the dream.