I spent a few hours interviewing and discussing the Internet of Things (IoT) with as many vendors as I could find. I had many good laughs and shed a few tears during the process. To describe the process, the general communication would go something like this:
Me: "Can you point me at the most technical person you have at your booth? I'd like to talk about how you secure your devices and the sensitive / personal data that it accesses and collects."
Smartest tech person at the booth: "Oh! We are secure; we [insert security-specific line here]."
Me: "Never mind . . ." (dejected look on my face).
Let me list a few of the more entertaining responses that I received. I will not be including vendor names to protect the not so innocent.
From a connected home vendor: "We are very secure. If you try to take one of our sensors off the wall, it will set off an alarm and alert you on your mobile device. That's really secure!" When I pressed on real security of the devices that will be controlling my home, he said, "I."
Another connected home vendor: "We use ZigBee for communication and that is secure." I then asked, "What about the data you store? Is it up in the cloud?" The vendor replied: "Absolutely . . . but that doesn't have any impact on security."
Even the smart watch vendors were not immune to ignorance. One strong retort came as: "We are just presenting what's on your phone. As long as it is secure there, it will be secure on our smart watch."
Since the ZigBee argument was so pervasive, I went and had a detailed conversation with one of the marketing evangelists at the ZigBee booth. Finally, I met someone that knew what they were talking about. However, his responses weren't all that reassuring either. He very intelligently, stated that the ZigBee protocol is as secure as they can make it, but vendors shouldn't rely solely on the security of communication protocols to ensure security of IoT sensor data. He also offered to get me in touch with someone who is responsible for the security pieces of the protocol; he agreed that this is only one piece in the greater security of the IoT puzzle.
I didn't even bother to interview many of the fitness, wellness, and health tracking vendors for fear of being so discouraged that I would give up and hop on the next flight home. I've sent out a tweet to the #CES2015 hashtag in hopes that someone, somewhere, within the 150K people at CES this year will be able to point me at a good answer to security of IoT devices and data. Somehow, I just don't think this is going to happen.
Posted by Tyler Shields