What Android teaches IoT developers about security

A refrigerator that can sense when you’re running low on groceries and have them delivered to your door. A thermostat that knows when you’re coming home and adjusts the temperature based on the weather and a car that can notify your friends when you’re running late and confirm appointments. These dream-come-true devices are well on their way to normalcy, but with them come a potential nightmare of security threats.

I know firsthand that when you see a burst of innovation, security isn't always at the forefront of developers’ minds. For example, part of what made Android so unique when Google first launched it was how customizable the software is. Hardware vendors are free to adapt the stock Android OS to specific devices, which is one reason why Android has become the world’s most popular mobile platform. While that flexibility is unrivaled, it also presents a major security liability that the industry still hasn’t cracked.

Security as an afterthought

This summer, for example, Campbell Murray, technical director at BlackBerry, and Fraser Winterborn, head of cybersecurity R&D at BlackBerry, demonstrated how easily an office’s network-connected “smart” tea kettle can be leveraged by hackers to infiltrate an entire network and put sensitive company information at risk. While eliminating the need to wait for boiling water in your office’s communal kitchen may sound nice, the product’s unsophisticated design is a weak link that leaves all network devices exposed.

Production of these types of IoT devices shows no signs of slowing. By 2020, Gartner estimates that 13.5 billion “things” will be connected to the Internet. And while the Internet of Things creates disruptive value for businesses, consumers and society, security too often takes a back seat as executives push developers to produce flashy designs and fast profits under near-impossible deadlines. As a result, the IoT must overcome a long line of interests by manufacturers, vendors and other players in order to fix its security issues, which sounds similar to Android’s fragmented, multi-player security patch process.

We saw this problem come to life last year when our team discovered a series of security holes in Android’s core media-handling library, libstagefright. The Stagefright vulnerabilities put upwards of 950 million Android devices at risk without users ever knowing their devices were vulnerable. In response, Google released a wave of Stagefright patches, and has continued to distribute monthly security updates ever since. Unfortunately, six months after Google released its initial patches, between 599 million and 856 million devices were still vulnerable to at least one of the security holes.

Keeping up with the updates

It’s easy to blame this issue on consumers foolishly ignoring security updates, but the real fault falls on the shoulders of device makers and carriers who failed to deliver critical updates to users. While companies like Samsung and LG have done a good job pushing out updates, most users will never be protected at this point. The issue is so serious that the FTC and FCC launched a formal investigation into the security update practices of leading operating system providers, original equipment manufacturers and mobile service providers.

The Stagefright vulnerabilities may have been a wake-up call for the Android ecosystem, but every device connected to the internet is a potential access point for hackers looking to exploit sensitive personal data. As homes become “smarter”, more and more of these vulnerable devices will live in the spaces where consumers feel most safe. Countless IoT device hacks continue to surface, including a DDoS attack that used over 25,000 compromised IoT CCTV cameras this summer. The FCC is now attempting to regulate the IoT as well – with the privacy and security of 5G and the huge repositories where IoT data is being stored top-of-mind for the agency.

The number of “things” connected to the internet has well surpassed the number of people on Earth, and IoT consumers are already starting to suffer the consequences of a fragmented multi-player security system, just as they did with Android. Due diligence at the developer level is essential to ensure the safety of millions of consumers before a vulnerability of the same scale as Stagefright occurs.

Community is critical

Most importantly, the IoT needs a strong sense of community where developers working across vendor, carrier and manufacturer offerings can share information and best practices for detecting and fixing security problems. Quickly deploying security patches is not enough, so it’s critical for the IoT community to prioritize real-time threat detection as a first line of defense for unknown exploits. For example, SAP allows developers to embed advanced security defense right into a mobile application. The industry must hold itself to the same standard for the IoT.

This route will ultimately cover more endpoints, and reduce the pressure on developers to constantly create and push out security updates. Without a consensus on how to implement security during the build process, IoT devices will become increasingly attractive targets for cybercriminals, and the true potential of this new frontier will never be realized.

Image credit: Flickr

Topics: App DevSecurity