The Internet of Things, due to an appalling lack of security, is indeed a disaster waiting to happen. The recent ginormous DDOS attacks were almost entirely launched from hacked IoT devices. Has your thermostat joined the dark side? How will you even know if it has?
IoT vendors should assume their devices will be found and intrusions will be attempted. Their devices need to protect against this. Further, open source code can be used anywhere. The open source code you wrote for use in your house might be used elsewhere. Is the code bullet-proof? Probably not.
Insanely, many IoT devices routinely give the device full root privileges. That means if a hacker can access the device, they can probably access the entire system. The device should only be permitted to do certain things.
From New Stack, a consortium of open source cloud software supported by dozens of companies, including IBM and Intel.
Assume that every chip you deploy in the field is going to be fully available to anyone who has access to it, summarized Stephen Blum, founder and CEO of hosted app provider PubNub, in the panel.
It should contain no secrets, no hidden access, no keys to anything. It doesn’t matter where the chip will be deployed. “For chips,” he said, “Physical access is full access.”
“If you think just because your software is on a chip, that they can’t get it off of there, you are mistaken. If you think that someone will never be able to understand your custom vertical, you are mistaken. If you think no one will ever find that hidden account you have in there to do debugging or to access to certain features that you don’t want your customers to get access to, you are certainly mistaken.”