Noted security experts Charlie Miller and Chris Valasek said the Internet of Things can’t be secure, but it can be tamed.
Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritize personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.
“We write code and we are not perfect. The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” said Miller, who along with Valasek are principal autonomous vehicle security architects at GM’s Cruse Automation. The comments were made during a keynote at the Black Duck Software’s Flight 2017 conference.
The problem, they said, is if a business’s core mission is not security or personal safety, it’s never going to be cost-effective to build world-class security into the devices it makes. Device makers can’t sell great IT security as a product feature and can’t pass the cost on to the customer.