Terry Dunlap Rants: “It’s Déjà Vu All Over Again as the FTC Seeks IoT Patching”

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

About three years ago, my team and I consulted with the FTC on their concerns about the gaping vulnerabilities in IoT devices. They knew then and know now that unsecured IoT devices pose huge security threats.

Today, we read story after story about cyber attackers who leverage thousands – no, millions – of connected devices as electronic soldiers in their armies. And the threats will continue to grow as new, unsecured devices enter the market each day.

I read this recent article entitled, “FTC sets $25,000 prize for automatic IoT patching” and shook my head (SMH). First, the prize is not enough to actually patch anything. Second, shouldn’t companies also be building embedded firmware more securely before selling their devices to unsuspecting clients and consumers (more on this below…)?

Think about patching existing embedded firmware devices. Outside developers would need access to source code to patch vulnerabilities. How would this unfold? Are companies likely to share their source code given legal and other limitations? What about defunct companies whose source code is a distant memory?

It seems like the FTC seeks a magic bullet by offering prizes to patch only some of what ails vulnerable IoT devices. And we all know there are no magic bullets because, if there were, I’d be a lot taller.

Let’s step back and look at the bigger picture. The FTC can run a good contest to support patching devices and encourage companies to fix their security holes. Yet, they should also consider ways to help companies be better from the start, even though many companies resist building secure IoT devices based on one factor: money. There’s little to no ROI to bake in security when firms operate on the thinnest budgets to bring their products to market.

Companies might only respond to security concerns after a cyberattack has leveraged their products or affected a company just like theirs. Or, they may slowly respond when government groups or non-profits enact laws or enforce standards. Human beings get comfortable with their own behavior – even the risky kind.

But, can’t we cost-effectively build secure embedded firmware from the start? Of course we can.

Terry Dunlap

Founder and CEO

 

P.S. On a related note, consider how many people actually apply firmware updates that are proactively issued by the manufacturers. Raise your hand if you do. Ah, just as I thought. It’s only about 55% (based on the power of Google research).

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
102 Followers
About Tactical Network Solutions
Are you concerned about risky, vulnerable embedded firmware in IoT devices, connected medical devices, automotive ECUs and industrial control systems? You're not alone. Since 2007, Fortune 500 companies and governments around the world have sought out Tactical Network Solutions for reverse engineering training programs, firmware evaluations, and cyber risk mitigation strategies. Clients are excited to leverage our automated firmware evaluations and consulting performed with the proprietary Centrifuge IoT Security Platform. The evals are completed with NO access to source code on compiled images containing a Linux-based root filesystem compiled for either MIPS, ARM, or X86. We also support QNX (a real-time operating system) and Docker containers. TNS evaluations have revealed thousands of hidden attack vectors including erroneously placed private crypto keys, insecure binaries with highly vulnerable function calls and other rampant security holes on embedded firmware. Our community of clients includes firmware developers, underwriters, law firms, governments and intelligence agencies worldwide who share a common goal: to discover hidden attack vectors in IoT and connected devices.
Promoted Content
TNS Issues a Sample IoT Security Report Showing Backdoors in a Connected Device
First, the good news: The extremely high number of connected devices rapidly coming to market has consumers and manufacturers excited. The new IoT devices often include advancements, more effective data collection and greater ease of use. Now, the bad news: When the devices are not built securely, they also bring unnecessary exposure, vulnerabilities, and danger.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel