It feels like hardly a week goes by without announcements of major security breaches or leaks. And while weāre not in the business of keeping tabs on individual breaches (egregious ones, like unsecured databases that contain millions of voice recordings, like the one covered two weeks ago, excluded), there was enough smoke this week to have a closer look where the systemic fire might be.
Letās start with Wikileaksā Vault7 document drop. While anything Wikileaks publishes these day should be consumed with a rather copious amount of salt, the framing of the purportedly leaked documents, which seemed to ascribe to the CIA almost mythical powers of ācyberā, brought the discussion around consumer IoT electronics to the fore again.
And of course everybody now thinks that who they need to worry about when it comes to IT security is the CIA or NSA. Theyāre the ones who get their hands on a lot of Zero-Day vulnerabilities (who tend to linger for a long time, as a fortuitously times study by RAND shows). And yet, the reality is far more mundane.
The web has been around for a while, and thereās a whole industry in supporting security on web sites. And yet, the complexity of frameworks and solutions to build websites lead to poor security even in an environment where incentives for security align better than in low-cost consumer hardware. Research into some 133.000 websites has shown that at least 37% of them rely on insecure Javascript frameworks.
It might sound antithetical, but Iām coming around to think that for IoT to work successfully, and sustainably at that, maybe we need to increase the barriers of entry. Apple often gets a bad rep for its stringent requirements for MfI and hence HomeKit certification, among which thereās a requirement for a custom security module, but that makes those low-hanging fruit attacks so much harder. The tradeoff, of course, would be much slower product discovery, i.e. figuring out what people actually want out of connected homes and connected products.
Relatedly, we need to dispense with the notion that āData is the New Oil.ā It leads producers of goods who have no business running backend servers and data collection efforts to think they have to do it, or else theyāll miss out on a massive revenue opportunity. Thereās a reason why you shouldnāt host your own email server, and thatās the exact same reason why you probably shouldnāt be collecting customer data yourself. Leave that to the professionals. But I guess you donāt become a disruptive platform unicorn with classic core competency matrices.