Earlier this week, in my presentation at CapArea.net on “Communicating with the Internet of Things” one of the points I emphasized repeatedly is the necessity to think about security early and often. Any time you are responsible for creating a device that can communicate with the internet, whether that be a home automation gateway, Wi-Fi-controlled light bulb, or and industrial control system designed for remote monitoring, you need to be sure you understand how that system can be attacked. As security MVP Troy Hunt likes to put it, you need to “hack yourself first.”
photo credit: nwogen on freeimages.com
The reason I bring this up is that I had an exchange today with Cuno Pfister of Oberon Microsystems, who announced today the Limmat platform, a gateway device that bridges Bluetooth LE and HTTP, part of which was about how they’re securing the device. As part of his response, Cuno pointed to this article, which describes a recently discovered flaw in BMW’s ConnectedDrive system that could potentially expose 2 million cars to remote unlocking or disabling.
Two MILLION cars. Try to wrap your head around that number for a moment. BMWs aren’t exactly cheap cars, either, and you’d think that they would take great care to ensure that the onboard telematics could not be hacked. But if the article is accurate (and I’m not an expert in auto system security, so I can only take the reporting at face value), it sure looks like they missed some major red flags in their implementation of the communication with the cloud.
So what’s an IoT developer to do? Start thinking about security as soon as you begin planning your product or system. Put on your black hat, and think through how someone would attack your system. Or if you’re not confident that you have the expertise to do so, hire someone who does.
Connected devices have great potential, but with that potential comes risk. And every new hack, vulnerability, or flat-out poorly designed product will make it that much harder for consumers and industry to put their trust in IoT. Attention to security early on in the product lifecycle is key to preventing this outcome.