The Internet of Things is a security nightmare, warns EFF

A panel discussion on finding a balance between security and privacy here at Disrupt New York 2016 touched on various aspects of a complex topic, including strategies for securing customer data and the big risks posed as more types of devices come online.

How can startups best lock down customer data? By not having access to it in the first place, suggested Nate Cardozo, senior staff attorney for digital rights organization the Electronic Frontier Foundation.

Asked whether the EFF is seeing more willingness among companies to view the government specifically as an oppositional force, Cardozo said this is especially true for messaging companies, given how much user data these companies can hold.

Just last week messaging giant WhatsApp was temporarily shut down in Brazil via court order after failing to hand over data to local law enforcement — data it says it does not have access to.

“It’s a field of dreams problem because if you collect the data they will come,” said Cardozo, adding that ‘they’ can include a long list of interested parties, including “attackers, organized crime, law enforcement and intelligence agencies”.

One way of protecting data is to not collect it in the first place.

“If the data is there you’re going to have to protect it. One way of protecting it, of course, is to not collect it in the first place. Which some companies put to great use — like WhatsApp doesn’t have access to content. That’s a great way of keeping all of that content secure.”

The panelists suggested this sort of zero knowledge model will become more prevalent among tech companies, as a more mature understanding of the security risks trickles down through the ecosystem.

“That’s what Apple’s development line looks like,” said Cardozo. “I wouldn’t be surprised if we saw iCloud go to a zero knowledge solution, at least as an option, within the year.”

The acceleration of the battle over privacy and security in the tech space is a consequence of a “huge shift” in the volume and type of data being put online, argued Marten Mickos, CEO of security firm HackerOne, a security firm whose clients pay it to find vulnerabilities in their systems.

“When we built the Internet around 20 years ago we had just fun stuff there. Today we have everything of value governed by software and connected to the world, so suddenly all the organized criminality of the world is hitting at software systems and web systems and we must protect them. That’s a huge shift,” he noted.

[gallery ids="1318996,1318995,1318988,1318986,1319003"]

“We put our entire lives online,” added Cardozo. “And… we’re still really bad at computer security. We barely understand how to secure devices… We’re barely getting started with this. And the fact that companies like Apple are starting to figure it out is causing a challenge for law enforcement that they’ve never had before.”

One looming security concern the panel flagged up as a huge risk are embedded systems — such as medical devices, voting systems and automotive.

“These companies have never really had to worry about security because they’ve never really had anything with networking,” said Cardozo, discussing the risks posed by the rise of the Internet of Things (or “the Internet of some other four letter word“, as he put it).

Medical device companies? They don’t have a fucking clue.

“Why are putting radios, why are we putting networking in everything? Those companies that have engineering staff but no security staff don’t know what to do with a vulnerability report. And in my practice when I’m counseling a hacker or a researcher whose doing vulnerability reporting, the big guys, the software companies, those are nearly always seamless. Apple knows what to do with a vulnerability report… But medical device companies? They don’t have a fucking clue.”

Mickos said the best hope for securing digital data going forward is the shift towards using open source and companies understanding they need to pool their security burden by inviting in outsiders to help.

“In the old security paradigm people felt that human beings were the problem and tech is the solution. I think we’re now learning that actually tech is the problem and humans are the solution,” he argued. “By inviting everybody out there to help you and have a neighborhood watch where they can find your vulnerabilities is actually the fastest way to secure a system.”

The panel also touched on political threats to security and encryption systems — such as the recent attempt by two U.S. Senators to table legislation that would force software companies to build backdoors into their products.

“Taken literally the backdoor bill that Senators Burr and Feinstein introduced would ban general purpose computers, which could not possibly have been their intent — it just shows how naive they are. But that was an opening gambit. They never intended that draft to pass. It’s the next draft that we have to worry about,” added Cardozo.