CES 2016: The largest collection of insecure devices in the world

The annual Consumer Electronics Show in Las Vegas has just wrapped up. With 160,000 attendees, 3,800 exhibitors, and almost 2.5 million square feet of exhibit space, this is the largest electronics show in the world. The array of new products and technologies has been featured on virtually every media outlet from Good Morning America to Conan.

There is something for every interest on display, from self-driving cars and drones to video games, virtual reality, and smart appliances. I saw products for exercise, infant care, elder care, food preparation, smart trash cans, and toilets. It is really exciting to see the extremes of modern day technology.

However, two important themes struck my attention.

First, everything is being connected. And by everything, I really mean everything, whether it needs it or not, most of them using some type of wireless interface.

Second, everything is insecure. Again, I do mean everything. It is a hacker’s delight. Security experts have long understood that building a truly “hacker proof” system is virtually impossible, and that the challenges grow dramatically as systems become more complex. It is no surprise, then, that insecure systems abound. What is surprising is how little is being done to secure these systems.

Some companies have started to build security into their products, and in the more security- and safety-critical areas, we’re seeing some progress. But very few vendors have made security a priority. What I find truly worrisome is that the majority of new products have not adequately addressed even the most basic security requirements. From drones to vehicles to smart home appliances, very few products have implemented strong security. Many developers are in such a rush to get their products to market — and to connect them to the cloud or smartphones — that they simply ignore the need for security.

It is time to prioritize security. Companies have very aggressive timelines for developing and deploying new products. Depending on who you talk to, experts predict commercially available self-driving cars as soon as 12 months from now; 4-5 years at the outside. Companies must be just as aggressive in building security into these products.

Business as usual won’t get the job done. In the last year, leading companies including Juniper, Jeep, and Cisco all suffered significant security breaches. Just as new approaches, new business models, and new companies are driving the development and adoption of new products, we need new approaches to secure these systems. Companies need to apply the same level of innovation to security.

The enabling technologies are now available. Silicon manufacturers provide secure MCUs and security co-processors. IoT security companies are providing the software stacks and management software to enable manufacturers to build secure devices.

As a techie, I enjoy CES. It’s fun to check out all the new gadgets and devices. I get excited about self-driving cars and intelligent baby monitors that can reduce the number of deaths due to Sudden Infant Death Syndrome (SIDS).

But as a security professional, CES is a bit of a nightmare — the largest collection of insecure devices in the world.

Alan Grau is President and co-founder of Icon Labs, which provides security software for IoT and embedded devices. He is the architect of Icon Labs’ Floodgate Firewall and has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. You can reach him at alan.grau@iconlabs.com.