API Academy

Sponsored by Layer7

A city with many connected wires and lights.

The Internet of Things and Security – Redux

By Bill Oakes, CISSPPosted on

The recent debacle of the Nissan Leaf triggered memories.  Twenty three months ago, I wrote a blog entitled The Internet of Things – Today.  In that posting, I mused about the rapidly emerging IoT, and some of the cool new things that were beginning to appear, such as Anki Drive and Nest solutions.  I also pointed out that in the “this is soooooooo cool!†world of development (somewhat prevalent amongst IoT developers), security often takes a backseat to the cool factor.

In a follow-up blog, “Of Monsters and Men and Machinesâ€, I gave some very real-world examples of just that…where the cool factor overrode the security factor.

Ohhhhh how naïve I was back then!

Since then, we’ve had:

  • Chrysler including the uber-cool idea of a WiFi hotspot in their vehicles, tied into UConnect- a super smart computer built into their vehicles.  And if you know the IP address of any of their vehicles, you can literally take over the vehicle – ‘cause who needs any kind of security of front of such a powerful solution?
  • The hyper-secure and hyper cool Snapchat app ensured that your photos/texts would be private and protected.  Unless, of course, you accessed the app via their API, which may result in 4.6 million user names and phone numbers published on a website (well, may result, did result…let’s not quibble with symantics).
  • The IRS, shaking off 30 years of drudgery, has gotten into the cool new world of the Internet – and makes your transcripts available via a “get transcript†API call.  Very cool!  Unless, of course, they failed to include adequate security in front of it, exposing 100,000 taxpayer accounts.
  • WiFi Barbies – what could go wrong?  I mean, besides not securing the connection, allowing the Internet to potentially listen-in/spy on your children.
  • Samsung Smart Refrigerators has a uber-cool new fridge that shows your Google calendar on the front door.  Cool idea!  Of course, not validating SSL certificates ensures that it’ll be hacked, along with your Gmail account….not so much.
  • And the latest – fresh off the press…the uber-cool Nissan Leaf.  One of the best representations of technology on the road today.  And many of the Leaf features are accessible from the handy Leaf app, allowing owners to remotely check the state of charge, heat/cool their cars before entry, etc.  This is all done via an API.  An unsecured API.  With no authorization function. Meaning if you simply know the VIN (which, of course is impossible to get.  Unless you look at the lower left corner of the windshield, where said VIN is stamped into the dash), you can literally control features of the vehicle.

I can go on (and on, and on, and on), but I think the picture is becoming clear – in the IoT, security continues to take a back seat to the cool factor.  I get why….I truly do.  Getting something out as first to market is an awesome thing.  I’m a total geek and a former coder who used to love to build cool things.  But….as a home owner…a vehicle owner…a bank account owner….and a parent – I now find myself carefully evaluating any new, cool function before I implement it to ensure that I’m not putting myself or those around me at risk.

Steps ARE being taken to address these security failures (albeit slowly), such as the OWASP Internet of Things Project. Organizations that ARE sensitive to these issues are also starting to look to software solutions like CA Mobile API Gateway and the other CA API Management products to provide a rock-solid security model and framework while their developers focus on the important (and more fun) work of building cool features.

One hopes that the developers in the various IoT industries takes note and gets on board….today.