Connected Devices and Security: Where Do We Stand?IoT Security Specialist Brad Ree Says Work Is Underway to Harmonize Security
Without labelling or standards, consumers and enterprises face challenges when buying IoT devices.
Organizations are realizing that while it's possible to issue required security specifications to vendors, they also must verify that the devices are secure, says Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, a trade group dedicated to securing IoT devices.
"It's a real challenge," Ree says. "How do I know something is secure? How do I specify security in my RFPs?"
For consumers, buying secure IoT devices can be an opaque process. Also, there are worries over unknown vulnerabilities, such as the recently revealed Ripple20 flaws. A TCP/IP component deployed in a wide variety of connected devices was found to contain 19 flaws, including some that are remotely exploitable (see: Millions of Connected Devices Have Exploitable TCP/IP Flaws).
"Unfortunately there are going to be a lot of legacy devices with really deep supply chains, so I don't think we are going to just flip the switch and then all of the sudden solve our security problems," Ree says. "This is going to be a work in progress over time."
But connected device security is improving, Ree says. That's been propelled by numerous initiatives by industry groups and also regulations, such as SB 327 in California. The law, which went into effect in January, requires that devices have reasonable security features.
In this video interview with Information Security Media Group, Ree discusses:
- How IoT manufacturers are responding to an increasing call for better security;
- How regulators and industry groups are working to improve IoT security;
- What challenges enterprises are facing deploying connected devices.
Ree is CTO of ioXt, a consultancy that tests the security of IoT devices. He's also a board member at the ioXt Alliance, a trade group dedicated to securing IoT devices, which includes members such as Amazon, Google and Facebook. Ree holds more than 25 patents and was formerly security advisory chair for Zigbee.