Cisco kicks off $300k Internet of Things security competition Cisco has announced prizes of up to $US75,000 to get help finding ways to secure the burgeoning Internet of Things. Anyone who watches the procession of SCADA vulnerabilities, the exposures discoverable through the Shodan search engine, or the recent bugs popping up in cars, routers, home automation and (maybe) smart …
Anyone who solves tne security issue of IPv6 in a fashion small enough for small devices is going to make a fortune. Apart from the tangential observation that Cisco is a US company and thus most likely to be as subverted by their government as Huawei is alleged to be by the Chinese, I would NOT give such ideas to a company without so e solid agreements.
I have seen it often enough that someone creates ideas that are handed off without proper agreements, and it invariably ends up with the person having the idea being sent hom with a dry sandwich while the execs start reading up on which yacht to buy next.
It won't solve all the problems. But it will solve a lot of them. If there's no way for a bad guy to change the thing's non-volatile settings, it'll mean that power-cycling the thing restores it to whatever state you stored in it by using the write-protect switch. Note: it must be true hardware protection, that's completely impossible to alter by any sort of software exploit.
Making the Internet Of Things secure / better is going to be very difficult. To address bugs in a worldwide deployed software installation you need a worldwide update capability, and a whole team of devs whose only job is fixing the software. That's a very difficult thing to achieve. Not even Google have achieved it in any meaningful way with Android.
When you look at what platforms are there out there which can realistically and universally receive updates there's not many. Windows is quite good, though I don't know about embedded Windows. iOS and OS X aren't bad either (though you have to depend on Apple giving a damn). Linux distributions (notAndroid) aren't bad either, but again it depends on someone actively taking a long term view (i.e. you don't want old distros being cut off from updates simply because a new one has been published). I guess that QNX could be self updating; BB10 sorta does, though the user has to actively kick-off the installation; it won't happen autonomously.
The manufacturers of Internet Connected Things aren't motivated to take all that on board because it will cost them money. Sling some Linux based firmware together, get it to version 0.0.2, sling it in the fridge (or whatever) and sack the dev team / move onto the next one. They don't want to have to be spending money updating fridges they shipped years beforehand when there's no revenue stream to fund it.
The flip side of that is that if Internet Connected Things start getting hacked, and being actively broken by the hackers, you might start seeing a flood of warranty returns on fridges, Smart TV's. That'll put the manufacturers off the whole idea very rapidly, especially as it's likely that hardly anyone is seriously using the internet connection features on these devices anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
