Cybersecurity is Failing at Two Things: Patching & Authentication | Bruce Schneier | RSAC 2018

August 23, 2019 posted by

so I’m writing about a world where
everything is a computer it’s cars medical devices drones thermostats power
plants weapon systems smart city anything it’s the fundamental difference
between your computer crashes and you lose your spreadsheet data and your
embedded heart defibrillator crashes in you lose your life and as much as
privacy matters and our medical data matters and even our bank accounts
matter it’s just bits when it becomes life and property things change
so two things that I think are failing in interesting ways the first is that
patching is failing and so our computers and phones are as secure as they are for
two basic reasons one there are teams of engineers at Apple and Microsoft and
Google that do their best to build them securely and to those same teams are
there working around the clock to write and push out patches when
vulnerabilities are discovered in the wild so this doesn’t hold for low cost
embedded systems like DVRs and home routers they’ll built at a much lower
profit margin they’re often built offshore by third parties and they don’t
have dedicated security teams teams come together build them than disband the way
you update your home router today is you throw it away and buy a new one that’s
the patch mechanism and actually that is something that gets us more security
right we get security the fact that we replace these things every you know two
to three years embedded systems don’t work that way right you and place your
DVR on every 10 years your refrigerator every 25 years you go home find yourself
a 42 year old computer and boot it up but hey we can try to make it work try
to make it secure we as an industry have no idea how to maintain 40 year old so
for mass market we could do it nichy we can’t do it for everybody I’m not
convinced this is gonna scale second thing I think is gonna fail as
authentication the amount of authenticating is about to explode and
it’s not just normal ones it’s people authenticating a thing this thing’s
dedicated people and even worse things authenticating things I mean so when
this talks to my car it’s because I was around when they met each other right it
works through bluetooth and I was there to pair them that works ok if I’ve got
ten things five a hundred things or a thousand things they want to talk to
each other ok that’s a hundred thousand or ten occasions I’m not gonna be there
for it so we need some way to do things English education at scale some of its
gonna be through hubs and right now if you have any i/o to anything you almost
certainly control it through your phone or the phone is now the de-facto IOT
controller and maybe we can you can offload some of this on everyone
authenticates to the phone and the phone does the pass-through I’m not convinced
that’s gonna work it’s not gonna work for smart cities or smart organizations
might work in the home this is really what I’m writing about in
my book autonomy automation physical agency bring new dangers

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *