Hacking Vint Cerf’s Wine Cellar, or Why We Need to Secure the Internet of Things
If you haven’t seen Vint Cerf speak, you’re missing out. He’s smart, funny and humble. He’s also a legend; commonly introduced as the “father of the Internet,” he co-designed TCP/IP, the protocol for sending data packets over the Internet, and helped bring Internet-based email to the masses. Cerf is a big proponent of the Internet of Things. And he thinks it needs to be secure.
San Francisco was buzzing with conversation around the security of IoT during the RSA Conference two weeks ago (speaking sessions related to IoT were up 450 percent this year over last), but my question is — will we get security right with this new world of connected devices that are increasingly managing our lives? Cerf hopes so. He acknowledges that security wasn’t on his mind in the early days of the Internet. When he was developing TCI/IP for the Department of Defense in the early 1970s, he worked through all the possible “failure modes” but not possible attacks, he said at a City Arts & Lectures talk last week in San Francisco. That was partly because he assumed all the links would be encrypted and partly because he “wasn’t thinking about global availability in the civilian world.” So, encryption and other security was retrofitted in. “If I had to do it all over again,” he said, he’d put public key into the underlying Internet protocols and would have used 128-bits for Internet addresses instead of 32-bits.
We missed the boat in securing the Internet, and companies like Lookout have tackled security on mobile devices. There’s an even greater urgency with IoT because there’s so much at stake. It’s one thing to have your credit card number stolen from a Target breach or your Twitter account compromised, but it’s entirely another when someone hacks your car or home security system or the traffic lights. Or Cerf’s wine cellar.
This isn’t just any wine cellar. Cerf’s cellar monitors light level, humidity and temperature; if the temperature rises above 60 degrees he receives an SMS. He can tell if someone entered the cellar based on lights turning on and off, and RFID tags on the bottles would allow him to know if someone made off with a bottle. The hack would be to drink the wine and put the bottle back on the shelf. Sensors in the cork could stop that, he said, clearly thinking of all possible attacks in this case.
Another bottle of wine on the wall, another bottle of wine…
The ever expanding number of devices I’ve surrounded myself with is great, but I’m already annoyed with the complexity of logging into my Fitbit, connecting it to my iPhone and trying to remember to use my Lumi Lift. “The problem is dealing with this at scale,” said Cerf, who is Chief Internet Evangelist at Google. For example, if you have 100 devices in your home and you move, you have to reconfigure all those devices to communicate only with each other and you, and not to your neighbors. “We’ve got to get this right,” he said, and do it “in a more uniform way because if there are different devices and protocols it will be a nightmare for consumers.”
The growing fascination with the IoT no doubt has spurred interest in identity as a crucial piece of the security puzzle — along with the need to simplify and reduce the pain from ubiquitous passwords. It’s interesting to note that there were three new tracks at RSA this year: C-Suite View (security is now a board-level concern), Identity (authentication, authorization and privileges across boundaries) and Securing the Ecosystem (healthcare, automotive, telecom and supply chain). Just like my bank needs to know it’s me logging into my account, connected devices all need to know who or what they’re talking to.
We’re only in the early stages of the Internet of Things and I have high hopes that smart people like Cerf and others who have a part in building the new IoT infrastructure will learn from the past to protect the future. We won’t get everything right: humans still write code and they’re fallible. But we’re more focused now on weaving security into the fabric of systems (see how the experts are doing it with the BSIMM, Building Security In Maturity Model), hiring smart hackers to do penetration tests, and making it easy for researchers to report bugs and get paid (a la HackerOne). Maybe this time we can get it right.