Smart devices get smarter, but still lack security

While many smart devices are coming with more cool features, improved security isn't one of them

by Taylor Armerding

As you shop for that new "smart" refrigerator that can do everything including figuring out when you're low on milk, perhaps you should also think about the risk of some mischievous hacker taking control of it and having 5,000 gallons of milk delivered to your door.

That scenario is real. It has been demonstrated. Security experts have been saying for more than a decade that, in the world of electronic devices, "smart" does not mean secure. They have warned that if security is not made a priority, the convenience provided by those devices will be undermined by cyber criminals.

And most of them say things have gotten even worse since those warnings began, in part due to the explosive growth of consumer devices with embedded computers.

In an interview with PaulDotCom Security Weekly TV this past February, Craig Heffner, a vulnerability researcher with Tactical Network Solutions, put it bluntly. "Go back 15 years in computer security, pick every problem we've had from then to now, and you'll find it in embedded systems," he said.

That would make it a problem growing by orders of magnitude. At a conference on the Internet of Things (IoT) last month, sponsored by the Federal Trade Commission (FTC), the agency's chairwoman, Edith Ramirez, said the 3.5 billion sensors now on the network are expected to grow to trillions within the next decade. Indeed, many of today's new cars already have more than 100 embedded, connected computers.

"Five years ago, more things than people connected to Internet," she said. "By 2020, 90% of all cars will have some kind of vehicle platform, up from 10% today. By 2015, there will be 25 billion things hooked to the Internet. By 2020, that will grow to 50 billion. In the consumer market, smart devices will track our health, help us remotely monitor an aging family member, reduce our utility bills and tell us we're out of milk."

But all that, she said, will come with "undeniable" privacy and security risks. In response, she said, the stance of the FTC is that, "companies need to build security into their products, no exceptions."