Wednesday, April 18, 2018

Is there some hope for Internet Of Things security?

Maybe.  Microsoft just announced they are getting into the game:
Microsoft has designed a family of Arm-based system-on-chips for Internet-of-Things devices that runs its own flavor of Linux – and securely connects to an Azure-hosted backend. 
Dubbed Azure Sphere, the platform is Microsoft's foray into the trendy edge-computing space, while craftily locking gadget makers into cloud subscriptions.
I know what you are thinking: Microsoft is solving a security problem?  Well, maybe.  Microsoft got a bad security reputation 20 years ago, but have been doing a credible job for quite some time now.  Besides, they address what are probably the top IoT security issues:

1. The people who write the IoT apps don't know the first thing about security, and so make mistakes that everyone else has known how to prevent for 20 years: insecure default passwords, poor network security hygene, bad coding that allows common attacks, etc.  Because Microsoft is providing  a development environment for creating these apps, they can provide a sane set of default settings that will make these sorts of attacks a lot harder.  I'm not sure if they will do this, but they could.

2. The people who write the IoT apps mostly don't have an auto-update mechanism to roll out new security fixes.  Most of these will not be in the app itself, but will rather be in the underlying Operating System code.  Microsoft has an update mechanism built into the system, so this will be automagic.  The IoT app developer doesn't have to know anything about security to get this.

These two changes will potentially move the needle a lot to make the systems more secure.  We'll have to see how things play out, but this is a positive move.

No comments: