When asked whether anyone has the tools necessary to protect the burgeoning world of the Internet of Things, Sophos head of security research James Lyne said the “sheer pace of change” has prevented that from being possible.
“The use cases that we’re coming up with are leading us to new security and privacy problems that we just haven’t seen before,” said Lyne, who delivered a keynote address at LogMeIn’s Xively Xperience IoT conference.
However, Lyne said that while new technologies present new security challenges, businesses are also making the same mistakes they made five, 10, or 15 years ago.
“These are basic mistakes we’ve made before. We’re repeating old errors,” Lyne said.
One issue is that many of the companies producing IoT products are too small to have their own security teams, so they bring in security experts as an afterthought at the end of development. Once security experts point out vulnerabilities, those companies are already under pressure to launch and often decide to “fix it later.” That’s a particularly bad idea because retrofitting security is significantly more expensive, so often companies decide to forgo the fixes altogether.
“We’ve got to bring the security people in in earlier stages of design,” he said. “And many of these flaws could be eliminated early on in the process nearly for free.”
Lyne said these issues are “surprisingly consistent” regardless of company’s size.
“I found major manufacturers that are using Linux distributions from when I was a kid,” he said.
PUBLISHED OCT. 5, 2015