Ken Munro is a security entrepreneur and industry maverick whom has worked in the information security industry for over 15 years. He has a particular passion for pen testing and IoT security, and founded Pen Test Partners in 2010.
Since then, he and the team at Pen Test Partners have researched, discovered and disclosed various security vulnerabilities in a wide range of smart/internet connected devices and technologies. Munro is also a public speaker known the world over for his live demonstrations that show how systemic issues can lead to IoT devices being hacked and exploited.
This week, he took to the ‘Geek Street’ stage at Infosecurity ISACA North America Expo and Conference in New York to discuss the security risks and challenges surrounding the IoT. At the event, Infosecurity spoke to Munro to dive deeper into this intriguing and important topic.
What is the current state of play of IoT security: are things good, bad…or ugly?
It’s pretty bad, though with a few beacons of excellence and hope for the future. Whilst some vendors have taken responsibility for security and delivered products which are broadly secure, the vast majority are white-labelled, insecure junk. We’ve seen IoT security move from being local compromises of single devices over RF etc., one at a time, to now seeing one vulnerability affect millions of devices and owners at a time.
Why should adoption of IoT technologies be considered with caution?
The driver for most IoT vendors is to get to market first with minimum viable product. With limited funding, this behavior is baked in. Security needs to be considered early on, yet it’s often left to others in the supply chain, if it’s considered at all. Often the first thought of security is when a researcher makes contact, asking how to disclose a vulnerability to them! By that time, it’s too late.
What are the key steps to improving, and ensuring, security in the IoT?
Sadly, I think the only option is to regulate. I’m no great fan of regulation, as I prefer market forces to drive behavior. However, in the case of IoT security, there is little capability in the market to hold vendors to account: the average consumer has no clue which product is safe and secure, and which isn’t. Therefore, the market is incapable of driving the right behavior. Fortunately, numerous US states, the EU and national governments have made progress in this area. I was really pleased to see California take the lead with SB-327 coming into force on Jan 1 2020. For enlightened vendors, there is plenty of good guidance out there already, including from NIST, ENISA, ETSI and many other bodies. Finally, don’t forget to take security advice early on in the development process, together with verifying your security before you launch your product.
What IoT risks and challenges do you predict for 2020?
It’s going to get worse before it gets better – IoT manufacturers are slowly realizing that they don’t have the skills to do security, so they are starting to outsource their cloud platforms, hardware and mobile app development. Sadly, few of the available IoT platforms are actually secure themselves, though there are notable exceptions. As a result, we’re seeing platforms themselves compromised, leading to exploitation of quite literally millions of IoT devices in one fell swoop. The last platform we looked at exposed over 20 million devices. At least there will be regulations to bash errant vendors with next year