Entrepreneurs: Think Security from Day One
by Miki SaxonThere are dozens of startups working on wiring everyday products to become part of the Internet of Things (IoT) and a few weeks ago I cited an article that raising money in that arena was tied to building security into a product from the beginning.
Security used to be a function to which consumers gave little thought, but that is rapidly changing.
Anything can be hacked, but awareness was heightened recently when security experts hacked a Jeep’s entertainment system and took control of vital driving functions.
The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
And if none of this makes IoT startup founders rethink their cavalier attitude towards building tough security into their initial design, perhaps this comment from Colby Moore, a security research engineer at the cybersecurity firm Synack, will make them think twice.
“Really, the state of security on these things right now is pretty atrocious… A lot of these device manufacturers are just not security people and they really just don’t have security people on staff, especially when it comes to IoT start-ups. What they are doing is phenomenal with all of these new uses for technology. But security isn’t a concern for everybody. It’s ship now and patch later mentality.” (…) If you are worried about it then don’t put yourself at risk. It’s kind of up to us to demand a higher security standard and hold the manufacturers to it.”
Flickr image credit: centralasian
July 30th, 2015 at 4:31 am
I am a security professional and this is something that we have been talking about for years. It happens in every industry when something new comes along. Everyone is in a hurry to get to market and they don't even consider security beyond the bare minimum and many don't even do that. Many of them know that security needs to be there but security requires more time and that delays their release. What most of them don't understand is that adding security later costs more and is rarely as effective as if it was there from the start. Also what many of them don't seem to understand is that security isn't that hard or time consuming to do early on. For most products everything that they need is already available it just needs to be incorporated into their product and tested. Sure it may delay their release by a couple of days but if they do their planning as they should they can still make their dates and have a better product.
July 30th, 2015 at 8:52 pm
Hi Andy,
Do you think they don't understand or just don't care? The last founder I asked about hacking looked at me like I was nuts and then said he would deal with it if something happened.
I've been around long enough to remember when both manufacturability and quality weren't part of the design function. I also remember how many years that took to change. We can only hope that security will happen faster — not that I think it will keep up with the black hats, but one can always hope!
Thanks for adding your comments and credibility to the post.
July 30th, 2015 at 9:14 pm
Hi Miki, I think it's both. There are those who don't care because the don't understand and those who don't care because they only care about market share and being an early player. It's people like that who are the fuel for the researchers that do things such as the Jeep hack. It takes sensationalism to get the attention of the manufacturers and software companies.
July 30th, 2015 at 9:50 pm
You're right, Andy, but I think the sensationalism needs to get consumers attention, too, so they will get scared enough to keep their wallets shut and vote with their feet. In general, most companies aren't particularly proactive; they are reactive, but the market has to scream loudly to get them to notice.
September 9th, 2015 at 1:15 am
[…] post I wrote after two researchers made headlines by hacking a Jeep and taking control of its vital […]
January 7th, 2016 at 1:16 am
[…] for tech, the public is waking up to the fact that it doesn’t give a damn about people’s privacy, security or even safety as long […]