10 Risks: Internet of Things SecurityHP's Daniel Miessler Discusses Latest OWASP Guidance
By bundling insecure Web, network, cloud and mobile interfaces, and rushing to market, "Internet of Things" device makers are compounding the breach risks facing consumers, warns Hewlett-Packard's Daniel Miessler.
But manufacturers and software developers have a new tool to help them build more secure - and hack-proof - Internet of Things devices, be they Internet-connected home alarm systems, health monitors or televisions, Miessler explains in an interview with Information Security Media Group.
The Open Web Application Security Project has published a list of the Top 10 Internet of Things Security Risks. It contains guidance for how Internet-connected device creators can build secure products that protect consumers' privacy and minimize the risk of intrusions and data breaches. The guidance covers everything from cloud and mobile interfaces to firmware updates and physical security.
"What's unique and a little bit frightening about Internet of Things security is that you're taking all of those highly vulnerable areas and you're pulling them all together and wrapping them up under one product," says Miessler, who's a practice principal at HP Fortify on Demand as well as one of the leaders of the OWASP Internet of Things project. "So you're saying, 'Let's take vulnerable Web apps, a highly insecure mobile app, let's put it on a device that doesn't have great physical security, now let's connect that to the cloud, with some sort of Web interface that isn't super-hardened, and now all that together is your Internet of things deployment'."
In an interview with Information Security Media Group, Miessler discusses:
- Why so many Internet of Things devices aren't secure;
- Common but preventable vulnerabilities;
- Why more firms need to practice vulnerability and penetration testing;
- The security tradeoffs vendors are making by rushing products to market;
- How manufacturers can apply the OWASP Top 10 Internet of Things security recommendations to build more secure products.
Miessler has more than 15 years of experience in the information security realm as a penetration tester, security consultant and architect. He's also worked as a systems administrator and served as an intelligence analyst in the U.S. Army.