Size matters. Which is one of the main reasons the Internet of Things (IoT) is, and is likely to remain, a very dangerous place.
"The embedded-system space makes the attack surface of the non-embedded space trivial by comparison," said Dr. Daniel Geer, keynote speaker at the Security of Things Forum in Cambridge, Mass. last week.
Geer, chief information security officer at the venture capital firm In-Q-Tel and an adviser to U.S. intelligence agencies, added a partial caveat: "Perhaps I overstate that. Perhaps that is not true today," he said. "But by tomorrow it will be true. In the embedded world, which makes the PC, phone and whatnot market seem trivial by comparison, performance stays constant while the cost goes down."
The explosively expanding attack surface is not the only major reason for security risks on the IoT, he said. Another is diversity -- the lack of it. Referring to what he called a "computer monoculture," Geer noted that, "a cascade failure is much easier to detonate in a monoculture when an attacker only has to weaponize one bit of malware, not 10 million."
He said he is "entirely sympathetic" to the reason for that monoculture. "Making everything almost entirely alike is and remains our only hope for being able to centrally manage it all in consistent manner," he said.
But, he said it is a clear risk-management decision, with major central control implications: "Would you rather have the inordinately unlikely event of an inordinately severe impact, or the day-to-day burden of everything being different all the time?" he asked, noting that the choice comes with a trade-off. "When we opt for monoculture by choice, we had better opt for tight central control," he said.
A third major problem, Geer said, is that embedded devices tend to be long-lived, but also lack a remote management interface. "A fundamental question," he said, "is whether immortal embedded systems are angelic or demonic.
Clearly, he leans toward the demonic view. "That combination -- long-lived and unreachable -- is the trend that must be dealt with and possibly even reversed," he said, given that Advanced Persistent Threats (APTs) are, "easier in an environment where much of the computing is done by devices that are deaf and mute once installed, or where those devices operate at the very bottom of the software stack."
Geer said decisions about whether embedded devices must, "self destruct by some predictable age or that remote management be a condition of deployment is, dare I say, the national policy question," he said. "But in either case, the Internet of Things, which is to say the appearance of network-connecting microcontrollers and seemingly every device that has a power cord or a fuel tank, should raise hackles on every neck."
That, he said, is because of the fourth problem:"The root source of risk is dependence," and people and society are becoming ever more interdependent, "especially on the expectation of stable system state."
That system, he said, is more fragile than most people think. "As society becomes more technologic, even the mundane comes to depend on distant digital perfection," he said, using the nation's food supply as an example.
"Our food pipeline contains less than a week's supply, and that pipeline depends on digital services for everything from GPS-driven tractors to drone-surveilling irrigators to robot vegetable-sorting machinery to coast-to-coast logistics to RFID-tagged livestock," he said.
"Is all the technological dependency and the data that fuels it making us more resilient or more fragile?" he asked.
Next section: No easy fix