2015 CES International Review - Where's the Security?

2015 CES International Review - Where's the Security?

This year’s Consumer Electronics Show (CES), surely didn’t disappoint. And while the car stereo systems and massage chairs lurked in the cheap seats, front and center were over 900 companies demonstrating thousands of new Internet connected devices that will be flooding the market this year. Quite honestly, CES was all about the Internet of Things. Lots, and lots, and lots of things.

The bulk of the things were part of the “connected” or “smart” home. There were impressive displays from ADT, Honeywell, Kwikset and even Lowe's hardware (we’re guessing that Home Depot’s absence was for security perfection). And while these companies had lots of shiny new toys to show off, the IoT sessions at CES were all about 2015 being ‘The Year of the Smart Home Hack’. These sessions elevated the questions around how these smarter homes will be maintained. Who is going to manage and patch your 12 smart locks, 42 light controls, 8 video cameras, and 3 thermostats? Since the average netizen can’t manage to come up with a secure password, it’s unlikely they’ll keep up with all of these firmware updates. Result? Vulnerable homes. While I don’t see the smart-home being hacked per-se, I can see PC based malware collecting or compromising IoT sensors in the home and workplace, as well as self-propagating malcode. A 100Gbps DDOS launched from IoT devices was observed on 12/31.

CES definitely confirmed that security is an afterthought not just for device owners, but for their manufacturers as well.  In fact, there was only one dedicated security and privacy session led by FTC Chairwoman Ramirez, but across many IoT sessions security concerns were top of mind. Q&A sessions were dominated by security concerns. Encryption and security in product design was encouraged to avoid the recent breaches experienced by apps like SnapChat and Yik Yak, though there was a clear absence of security assessment or mitigation in IoT. 

Also on display at CES were new wireless protocols. While the old faithfuls like WiFi and Bluetooth remained the Belles of the Ball, ZigBee, Z-Wave, and EnOcean made their debut as key IoT protocols. This is foreign territory to the majority of IT staff and it will be critical for them to get up to speed, or at a minimum, come up with a way to see these protocols when they are trying to access the networks. Of interest, is the amount of security and automation riding on these protocols, it remains to be seen who keeps Z-Wave and ZigBee secure.

And finally, and least impressive, consumers love electronic knockoffs.  As I dug into the little Chinese manufacturer booths, I found many little devices that looked identical to Fitbits, smart watches, etc just waiting to jump on a market looking for a good deal. And just like the cheap, vulnerable, Android tablets that hit the market in 2014, I expect 2015 will be the year of the knockoff wearable. Just as you can buy a cheap Rolex in Chinatown or a Louis Vuitton bag for $100 in Times Square, you get what you pay for and these devices will have more security vulnerabilities than their pricier counterparts. I predict a huge market for counterfeit wearables over the next few years.

So, to summarize. Lots of gadgets. Lots of walking (just ask my FitBit). Lots of room for both the good and the bad guys to get in the Internet of Things game.

Bastille In the News