Is the IoT sacrificing security for ‘cool’?

The Nissan Leaf is the latest in a string of IoT hacks that show why API security cannot take a backseat to ‘cool’

The recent hack of the Nissan Leaf triggered memories.

It reminded me that nearly two years ago in my first blog, “The Internet of Things – Today,” I mused about the rapidly emerging Internet of Things (IoT), and some of the cool new things that were beginning to appear, such as Anki Drive and Nest solutions.  I also pointed out that in the “this is so cool!” world of development, security often takes a backseat to the cool factor.

Walk down memory lane

It reminded me of how naïve I was when I provided all the examples of the “cool factor” overriding the security factor in a follow-up blog, “Of Monsters and Men and Machines.

Or what about these?

  • Chrysler including the cool idea of a WiFi hotspot in their vehicles, tied into UConnect- a super smart computer built into their vehicles.  And if you know the IP address of any of their vehicles, you can literally take over the vehicle. Who needs any kind of security of front of such a powerful solution, right?
  • WiFi Barbies – what could go wrong?  I mean, besides not securing the connection, allowing the Internet to potentially listen-in/spy on your children.
  • Samsung smart refrigerators that show your Google calendar on the front door.  Cool idea!  Of course, not validating SSL certificates ensures that it’ll be hacked, along with your Gmail account.
  • And the latest – fresh off the press: the uber-cool Nissan Leaf.  One of the best representations of technology on the road today. And many of the Leaf features are accessible from the handy Leaf app, allowing owners to remotely check the state of charge, heat/cool their cars before entry, etc. This is all done via an API.  An unsecured API. With no authorization function. Meaning if you simply know the vehicle identification number (VIN), you can literally control features of the vehicle. Spoiler alert: VIN numbers are stamped into car dashboards, designed to be visible from outside the car.

 

Addressing the security need

I can go on, but I think the picture is clear: In the IoT, security continues to take a back seat to the cool factor.  I get why. Getting something out as first to market is an awesome thing. I’m a total geek and a former coder. I love to build cool things. But as a home owner, a vehicle owner and a parent – I now find myself carefully evaluating any new, cool function before I implement it to ensure that I’m not putting myself or those around me at risk.

Steps are being taken to address these security failures (albeit slowly), such as the OWASP Internet of Things Project. Organizations that are sensitive to these issues are also starting to look to software solutions like CA Mobile API Gateway and the other CA API Management products to provide a rock-solid security model and framework while their developers focus on the important (and fun) work of building cool features.

One hopes that the developers in the various IoT industries take note and get on board adding security to the coolness of IoT.


Bill Oakes, CISSP, is director for product marketing for API management at CA Technologies. Bill…

Comments

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
The Sociology of Software >How (Not) to Lie with Data Visualization >DevOps and Cloud Computing: Exploiting the Synergy for Business Advantage >