Helping companies navigate the treacherous waters surrounding IT security and secure product development
There are approximately 12 billion connected devices today (May 18, 2014), and by 2020 forecasts call for anywhere between 26 and 50 billion devices to be connected into the Internet of Things. Fortunately for me, not all of them live on my network at home.
I’ve counted 34 network-connected devices in my house that have firmware/software that can be updated. 19 of them are configured to check for updates on their own. When do I check for updates for the other 15? When I get:
Right. When I get around to it. That means 44% of my devices are running the software they came with, or something very close to it. But I only represent .00000028% of the 12 billion devices that exist in the Internet of Things today. If I’m representative of the Internet-at-large –a very bold claim – then that could mean that more than 5 billion devices are running the software they were shipped with – with all of the bugs and security vulnerabilities that existed then. That’s a target-rich environment, even if my guesstimates are off by several orders of magnitude.
The recent Heartbleed vulnerability made a lot of news because of the potential vulnerabilities to major web sites. This is exactly the type of security bug that should trigger ALL device owners to upgrade their software. Yet on May 8, security researcher Robert Graham reported that over 318,000 systems were still vulnerable to the bug. That’s 20% of the servers that could have the bug! Perhaps I should send the admins of those sites a “round 2it”?
We’re at risk, and we know it. So why do we allow these devices to remain unpatched? I can think of 6 common reasons:
1) “If it ain’t broke, don’t fix it.”
How many of us have time to spend looking for fixes to problems that we’re not experiencing? If your device works, why would you spend time to “fix” it? This is a common refrain in both personal devices and in enterprises. Making changes introduces risk. What if the update that fixes a problem exposes a new problem that you weren’t experiencing before? When you already have enough work to fill a 12 hour day, why would you go looking for more things to do?
2) “Software update? Huh, what is that? How do I do that?”
I’m in the computer security business. My teams have built several of the products that are used to secure networks. So I know about software updates and the reasons why I should update devices, and I just told you that I haven’t updated all of my devices. So it’s no surprise that people who have little to no formal training in security and software systems wouldn’t be on top of their upgrades. Many people have routers, WiFi access points and computers – all of the makings of a data center just 10 years ago, but they don’t have the IT staff to operate and update that equipment. Perhaps a neighborhood geek set it up for them. Or one of their relatives. They have the technology, but they don’t know anything about it, how it works, or even that it could be updated.
3) “I can’t update it because I can’t access the device.”
My 34 devices are all in easily accessible places in my house. But not every device is as conveniently located. Some devices are installed at remote sites where no people work. Other devices may be installed in regulated or restricted areas where access may be impossible or extraordinarily difficult. While you may have network access to the device, if it doesn’t support installing updates from the network, you will still have a problem. Knowing how – and from where – your device can be updated is important, and something that you need to plan for before you install it.
4) “I can’t update it because it doesn’t support updates.”
No matter how easy it is to access the device, if it wasn’t designed to be updated, you are faced with replacing the device with something new if you find a bug or problem that you can’t live with. In extreme cases, you may find yourself having to add other layers of protection or equipment to protect the device.
5) “I can’t update it because doing so would invalidate the certification for the (larger) device.”
While this is more often an issue in very large, expensive devices, you may sometimes find a network device located inside of a larger device. Examples could include medical equipment (MRI, CT, PET scanners, insulin pumps), industrial automation systems or even something as familiar as your car – newer cars may contain more than 10 computers that operate on multiple in-car networks. In medical and industrial control systems, the larger device may be certified based on certain software versions running on the hardware in the device. If you change the software – even just a one-line fix in the code – that may require re-certification of the device for use, which could end up costing large amounts of money.
6) “I haven’t gotten around to it.” (see above)
The most common refrain. Everyone is busy. The idea of adding another item to your to-do list to check the software update pages of ALL of your vendors every day – or even every week – is more than some people can bear, which means that we’re going to have to make devices that are built from the beginning to automatically seek out and apply updates as they become available. The device has time, you don’t.
If the Internet of Things is going to be reliable, we’re ALL going to have to get better at updating the software on our devices to ensure they operate correctly and safely. In my next blog, I’ll explore what this means to manufacturers of these devices and what you, as a customer, need to be looking for when you purchase devices. Caveat emptor.
(This post first appeared on LinkedIn on May 18, 2014.)
Steve DeJarnett is Managing Director of Safer Harbor, a consulting firm focused on helping companies navigate the treacherous waters surrounding IT security and secure product development. We believe that the notion of a completely “safe harbor” is illusory and that companies must always maintain vigilance to protect themselves and their products.