Security professionals have been talking for months about the dangers of smart devices, most of which are almost comically (and tragically) lacking in even the most basic security protocols. More recently, the global Wannacry Ransomware attack demonstrated that smart medical devices were vulnerable to attack, with several of them being temporarily shut down by the malware. But exactly how bad is the problem?
Here’s an interesting comparison:
This past week, Google’s Project Zero found a total of eight critical security flaws in Microsoft’s Malware Protection Engine. Microsoft considered this to be such a serious issue that they took the unusual step of issuing a patch outside their normal schedule to address them.
Now, compare that with the number of security flaws found in a line of smart pacemakers by security researchers from WhiteScope, which identified more than 8,600 security flaws, mostly coming from third party libraries.
It should be noted that not all of these flaws are considered critical, and the number spans seven different manufacturers. However, the sheer number underscores the difference in scope and scale, and the point is further driven home by looking at the way smart device manufacturers are responding to the report.
We’ve known since at least 2013 that the vast majority of smart devices being marketed and sold today are highly insecure, and yet, almost none of the equipment manufacturers have done anything about it. This latest report generated a response that was more of the same – almost complete disinterest.
That’s dangerous, because it sets the conditions for what amounts to a perfect storm. Right now, there are people living all over the world who rely on smart medical devices to keep them alive. The day’s coming when a hacking attack will kill someone.
Granted, even if smart device manufacturers started taking security more seriously, that would still almost certainly happen at some point. Taking no meaningful action at all only hastens the arrival of that day.