Tuesday, October 4, 2016

(The Big Disrupt) IoT: Why IoT Security Will Continue To Be A Mess










We at the Carnage Report have been writing piece after piece about the sorry state of IoT security and cybersecurity in general and as things stand, the features on this topic are set to continue and even increase in scale. 

When the Nobel prize winning economist Ronald Coase asked "why do firms exist?", he answered his own question citing that firms exist to lower transaction costs entrepreneurs would have negotiate and pay for and in the open market without one 1. While Coase's observation may seem obvious and unrelated to the sorry state of IoT security, it's quite difficult to understand why IoT is so vulnerable to attacks without his simple but profound answer. 

In the age of the internet, transaction costs have sunk dramatically making everything from watching movies and starting a business easier and cheaper than ever before. While the great fall in transaction costs has been one of the great drivers of change and innovation in the last few years, it's also the reason why Yahoo's recent record 500 million data breach will almost certainly be beaten. Record low transaction costs have been good for everybody from startups to behemoths like Google and Facebook however, low transaction costs have also been good for another group: hackers. 

Low transaction costs are why hackers can launch attacks at scale for a pittance and breach  large but vulnerable corporate networks and steal data to sell on online black markets for huge payouts. The most unfortunate group in the low transaction cost environment are ironically companies like Yahoo and LinkedIn who have thrived because of it and helped shape  it. Large companies from Target to Anthem have fell victim to data breaches compromising their network and have paid a heavy price in reputational damage and lawyer fees  dealing with the fallout of a hack. 
Hackers on the other hand however have made bank selling data in bulk either ransoming companies for their data or selling it on black markets if they don't pay up. Where IoT security comes in to this low transaction cost environment is that it takes the advantage hackers have over  large companies  expands it tenfold. 

The transaction cost for hackers are significantly lower than most companies which allows hackers to hack IoT devices at scale and use those devices to launch record breaking DDoS attacks. Despite all the advantages large organizations have in staff, budget, and expertise, these advantages are rendered obsolete by the fact that hackers have low transaction costs and thus a much wider margin of error as they only have to find one entry point while organizations have secure an ever increasing number of them thanks to the increasing use of IoT enabled devices.    

What makes this worse is that hackers collaborate in increasingly innovative new ways to hack into devices while organizations are less than willing to reveal data breaches never mind sharing and collaborating with other organizations making it harder for hackers to hit companies with the same exploits again and again. However, while hackers have the upper hand over large organizationstheir advantage is enhanced by the outright irresponsible mindset most executives have towards security. 

This blasé mindset is rampant in the IoT marketplace as company after company from Intel to AT&T rush to market and sell poorly patched or unpatchable IoT enabled devices to consumers knowing full well how vulnerable their devices are. Well respected CIO's  with a straight face have come out in public and lauded the "ship first, patch later" approach  to selling IoT enabled devices from smart TV's to smart fridges as if they're not aware that the scale on which IoT devices operates won't leave their customers at the mercy of hackers who openly brag about how easy it is to compromise IoT devices. 

In no other industry can executives get away with this level of carelessness and be heavily compensated for it but in IT, it's the norm. We've seen similar levels of neglect when PC's and laptops were introduced into the market and customers we're more or less left to deal with the fallout when their device was hacked. We've seen similar neglect of the security question with the increased use of smartphones and now where seeing it with IoT enabled devices but this time the price of the neglect will be hard to ignore. 

In sum, the state of IoT security and cybersecurity in general has been in a sorry state for a long time and all time lows in transaction costs have made the glaring security vulnerabilities and incredibly relaxed mindset about security among executives clear for all to see and if neither are addressed, the exploding market for stolen data, ransomware and malware will be the least of our problems. 


  1. R.H.Coase,1937, The Nature of  the   Firm , http://www.colorado.edu/ibs/es/alston/econ4504/readings/The%20Nature%20of%20the%20Firm%20by%20Coase.pdf 

No comments:

Post a Comment

LinkWithin

Related Posts Plugin for WordPress, Blogger...