Teaching Smart Devices to Lie

Smart Hardware is not just “Software Wrapped in Plastic”

Recently I’ve been thinking a lot about architectures for the Internet of Things. About how those architectures affect the security of our devices, but also how we think about security—and about data—and I’ve come to the conclusion that we’re doing it wrong.

In fact I think the very idea that hardware is just “software wrapped in plastic” has done real harm to the way we have built smart devices.

For the most part the wide scale security compromises we’ve seen with the Internet of Things have been, unsubtle. Mirai for instance was a piece of malware that identified vulnerable IoT devices using a list of just 60 (or so) common factory default usernames and passwords, then it logged into them, and took them over to form part of a botnet.

Infected devices continued to function perfectly normally, except for occasional sluggishness, and an increased use of bandwidth. So their owners generally didn’t notice anything is wrong.

For the most part the wide scale security compromises we’ve seen with the Internet of Things have been, unsubtle.

The types of devices that were taken over were for the most part ‘just’ IP cameras, but despite that, the botnets created by the Mirai malware have been used to perform some of the largest and most disruptive distributed denial of service attacks ever recorded.

More recently there has been Wannacry and not-Petya. Not specifically targeted at the Internet of Things both shut factories, railways, even wind turbines. But these are only leading indicators.

Just before midnight on a clear and cloud-less night back in April the tornado sirens in the greater Dallas Fort Worth area started to sound. All 156 of them.