A recent article on The Kaspersky Lab’s Threat Post blog describes the increasing vulnerability of today’s technologically advanced smartphones to a new breed of malware and trojans. As sophisticated hackers move from targeting PCs to focusing on the new wave of smart, mobile phones, security solutions for these devices is lagging, much as it did for the PC market in its infancy.
As reported on Threat Post,
The evolution of attacks and malware targeting mobile devices is paralleling the history of attacks on PCs, but the attackers are moving at a much faster pace than the rate at which they developed new tactics for compromising desktop machines. The innovation that’s occurring in mobile attacks is outpacing the state of the art in mobile defenses by a wide margin right now, and much of that can be laid at the feet of the smartphone platform developers–Apple, Google, RIM, et al.–who are making precisely the same mistake that PC software vendors made decades ago: racing to jam more features into the platform and paying little attention to security.
We’ve previously posted the in-progress drafts of the NIST Computer Security Division’s smart grid security plan, Guidelines for Smart Grid Cyber Security. It has now been released for public viewing in its final version, which is available in three volumes:
The security guidelines are intended to outline the security plan for the nation’s next-generation Smart Grid, a two-way system using intelligent networking to control the flow of electricity between power plants and end users. The security requirements and architecture will address not only deliberate attacks, but errors, failures, and natural disasters that also could destabilize the grid.
A recent video from IBM discusses the crucial need to include security by design for the smart grid — as well as all aspects of the data-driven, interconnected “smart planet.”
Smartphone security is hot again. But if we buy smartphone security “apps” and add-ons, are we just avoiding dealing with the real problem? Mocana’s product team did a bottoms-up calculation of the connected devices that will be logging on the Internet of Things in the next 4 years – and guess what? Smartphones are just the tip of the iceberg.
There are a lot of smartphones coming online, that’s for sure. But they account for only a small fraction of the IP-addressable devices that industry analysts say will flood onto the Internet over the next few years. Indeed, the total number of IP addressable, non-PC devices is exploding across all sectors — from datacom to appliances to smart grid. And the vast majority of these devices are sold, and fielded, with essentially no security measures board.
Smartphone security is important, and I’m glad that its finally getting the attention it deserves. But point-solutions designed for one platform won’t scale across these other (more populous) device classes. And that scalability is exactly what manufacturers desperately need, when many of them — like Sony or Panasonic — make and sell devices on literally every facet of this iceberg. Sooner or later, the security approach needs to be unified and holistic – otherwise we’re going to run out of fingers to stick in our leaky dams.
As an industry, we have reached a critical point: it is time to decide how we secure the future. It is crucial that we not make the same mistakes we made when developing PC security 15 years ago. Smart device security needs to become more platform agnostic, scalable and extensible.
Download Mocana’s Smart Device Iceberg in PDF or JPEG format.
A recent post on Read Write Web compliles a list of the “Top 10 YouTube Videos About [the] Internet of Things.” The collection features videos covering everything from RFID tags and Web 3.0, to an opera of smart robot rabbits. In addition, in one video an expert questions the possible privacy concerns of all of this new networked data.
A recent article on CNET News looks some of the latest innovations in smart, green consumer technology in the home. Much of the new technology taking shape today will rely upon the increasing presence of smart grid utilities.
Welcome to the future of your electrical home: It has lots of “smart” stuff, from meters that measure your consumption to appliances that know how to save you money…. It all connects to a “smart grid” that controls electrical flow so the brownouts experienced by California last decade don’t happen again and the electrical grid can take advantage of new, greener energy generators like solar and wind. All this technology will use cutting-edge security to prevent hacking the grid and protect your privacy. [...]
Digital electricity takes many forms. It could be a dedicated energy “dashboard” on your kitchen table, or it could be an application on an iPad, laptop, or TV. With the right apps, you’ll know how to cut the stand-by power on your electronics, how much your solar panels produce, or how much juice your electric car needs to get to work.
Mocana is pleased to announce the release of our 2010 Mobile & Smart Device Security Report, (PDF) “Concern Grows as Vulnerable Devices Proliferate, Smartphones are the Tip of the Iceberg”.
In the report, we find that many businesses and organizations are well aware of — and already dealing with — the increasing security threats facing the mobile and smart device ecosystem. In fact, 71% of our security survey respondents expect a serious incident arising from attacks on, or problems with, connected smart devices within the next 24 months. Additionally, 65% reported that attacks against their smart devices already require the regular attention of their IT staff, or will start requiring it this year.
However, despite this level of awareness, results show that relatively few organizations are prepared for today’s device security problems and those that lie ahead.
For more details, download Mocana’s FREE Mobile & Smart Device Security Report here.
While today’s tech landscape is rapidly changing — transitioning toward cloud computing, mobile devices and the internet of things — the way tech companies approach and speak to security is changing as well.
As described by Larry Walsh recently on Secure Channel, security is moving from a “point solution” and becoming an “embedded feature.” What was once the main focus of giants like Cisco is now playing second fiddle to other developments. The result is that many companies now “sell a portfolio of products and services [that] are increasingly minimizing core security in favor of the assumed security.”
In his article, Walsh cautions about the dangers of this development if awareness isn’t high:
Embedded security shouldn’t be assumed security. Vendors and solution providers need to articulate the intent and limitations of embedded security features. Many of the embedded security measures are designed with the assumption that there will be complementary network-level security protections bearing the brunt of the security workload. Without that level of awareness, some end users–particularly smaller companies—-might incorrectly assume that they can avoid spending money on point products.
We’ve previously posted (here, and here) about the device security concerns facing today’s heavily computer-controlled automobiles. And now, researchers have found that even the requisite tire pressure monitoring systems — run by wireless sensors — could be a real security vulnerability.
The wireless sensors…can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction. [...]
The tire pressure monitors are notable because they’re wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.
The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
Intel raised eyebrows today by announcing that they intend to purchase PC-security giant McAfee in a $7.68B deal, paying a 60% premium over McAfee’s 8/18 closing price. What’s really interesting, though, is that ’securing a device-dominated Internet’ was used as the key rationalization for the deal.
Intel President and Chief Executive Paul Otellini said, “In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences.”
David DeWalt, McAfee’s CEO said, “The current cybersecurity model isn’t extensible across the proliferating spectrum of devices — providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security. Frankly, the industry needed a paradigm shift — incremental improvements simply couldn’t bridge the opportunity gap.”
Renee James, Intel’s Software and Services Chief said, “As we look at the businesses we’re in, we see that security is the No. 1 purchase consideration. We believe that we can enhance security with hardware and come up with a better solution.”
They’re all right. Device security is becoming a requirement, not an option. But smart device security is a highly specialized space and it requires a clean slate approach. The newly combined companies will need to substantially beef-up their credentials in this area. At Mocana, we believe that the security model for a device-dominated Internet needs to be fundamentally different from the networked-PC paradigm familiar to Intel and McAfee. It requires an entirely new architectural and philosophical approach to security. Today’s best-in-class approaches to securing smartphones and other smart devices simply aren’t architected to deal with emerging attack vectors.
The right approach is a ‘Smart Device Security Platform’ that is device independent, utilizing a “universal security client” that takes advantage of security features in silicon, and is serviced from the cloud with context-intelligent security services and apps. This is the approach being pursued by Mocana. It’s an approach that works for smartphones, but also for medical devices, industrial automation, military equipment, consumer electronics, appliances, cars and any other smart device, too. A common way to protect and secure networked smart devices is what device manufactures, carriers, governments, enterprises and consumers want and need.
At the end of the day, this deal is $7 billion dollar validation of Mocana’s category: Smart Device Security. We welcome Intel and McAfee’s energy and innovation and look forward to working with them and the rest of the industry to secure what’s next. In the meantime, if you’re curious about how people really feel about the security of their devices, we encourage you to download our FREE report (just published!) the 2010 Mobile & Smart Device Security Report (PDF).
What’s your take on the deal — and Smart Devices? Leave us your comments!
A recent article on The Kaspersky Lab’s Threat Post blog describes the increasing vulnerability of today’s technologically advanced smartphones to a new breed of malware and trojans. As sophisticated hackers move from targeting PCs to focusing on the new wave of smart, mobile phones, security solutions for these devices is lagging, much as it did for the PC market in its infancy.
We’ve previously posted the 
A recent article on CNET News looks some of the 
While today’s tech landscape is rapidly changing — transitioning toward cloud computing, mobile devices and the internet of things — the way tech companies approach and speak to security is changing as well.
We’ve previously posted (
Dear Friends of Mocana:
