Nitesh Dhanjani is a well-known security researcher, writer, and speaker. He is currently Executive Director, Cybersecurity, at Ernst & Young, where he advises C-suite executives at the largest Fortune 100 corporations on how to establish and execute complex multimillion-dollar cybersecurity programs.
He recently released his latest book, Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts, so it was the perfect time to have a conversation about IoT security.
What are the most significant misconceptions people have when it comes to IoT security, even in the information security community?
We are biologically wired to concede to optimism bias – the mistaken belief that the one’s chances of experiencing a negative event are lower than that of other people. When it comes to the risk posed by attacks against IoT devices, this perception is further fueled by the notion that living in a traditional world of disconnected devices will continue to be an option.
We have already seen demonstrations of attacks, such as those against connected cars and medical devices, that can result in physical harm or the loss of life. As our society becomes increasingly reliant on devices around us to be connected, the line between our virtual and physical spaces will blur. Once vulnerabilities in popular IoT devices begin to be actively exploited to cause harm, our default biases attuned to favor optimism will shatter.
Within the information security community, I find that there is lack of appreciation for the profound responsibility we have to help secure devices that human-kind is going to rely upon to survive and even migrate to other planets. We dwell upon the criticality of state sponsored attackers with a myopic comprehension of the risk that awaits us. I feel we must begin to look upon connected systems such as smart cities, our increased reliance on medical devices that are online, and our projects to preserve our species to survive beyond planet Earth (such as what Elon Musk is doing with SpaceX).
We also need to start thinking through how best we ought to have conversations around existential threats such as super-intelligence. My intention has been to help us approach the topic of IoT security by taking a look at security contained within devices that we are already relying upon today. It is through this tangible understanding of the current landscape that we can being to build a strategy that will see us to a sustainable future.
How do you expect information security to evolve with billions of new devices getting online in the next few years?
We are going to see situations that will enable various types of threat agents with the ability to cause physical harm towards select targets as well as a sizable groups of populations. This is also likely to include violations of privacy orchestrated by exploiting the ecosystem of devices that we are going to come to depend upon. Threat agents beyond nation states, i.e. terrorist gangs, cyber-bullies, and predators are going to exploit connected devices to orchestrate scenarios that go well beyond traditional intentions of stealing mere financial information.
The concept of a ‘computer’ is likely to quickly dissolve in our nomenclature as we expect most devices around us to be able to compute and communicate to serve us at all times. Increased understanding of high probability of attacks will increase expectations that IoT device vendors have responsibility to assert security controls such as monitoring and detection by default. I also feel that device manufacturers and consumers will look to the insurance market to obtain coverage against attacks in leu of taking upon the insurmountable task of fully securing an ecosystem of billions of connected devices.
What are some of the most interesting things you’ve learned about the IoT while writing the book?
The majority of vulnerabilities plaguing IoT devices in the market today are caused by basic fundamentals that we have burnt us in the past with our existing infrastructure. Examples include the lack of input and output validation, badly implemented cryptography, and shoddy access control.
I am more concerned of the IoT infrastructure we have in place today than I had originally imagined because these devices are unlikely to be replaced at the same rate as our traditional computing environment has been. A lot of these devices contain glaring security holes without an efficient mechanism to patch them.
What advice would you give to organizations that need to augment their industrial systems for proper IoT adoption?
My advice is to implement proper security hygiene in the design of these devices with the understanding of how threat agents are going to evolve to leverage vulnerabilities that target scenarios that sneak into our reliance on critical use cases and safety. Organizations need to holistically look at the entire ecosystem of their business model coupled with the use and abuse cases that may target their devices that is prioritized by potential threat agents. In addition to this, the urgency of paying attention to hardware security, inclusive of strict and complete control over the supply chain of parts will be critical.