Sophos’ James Lyne talks about the ‘mess’ that is IoT security and why safeguarding smartphones is crucial
As the world around us becomes ever more connected and we put more and more of our personal lives on to mobile devices, the questions surrounding security become ever more important.
With many people unconsciously still treating their smartphones as a basic device that can only make calls and send texts, and not as a highly-powered connected device that contains reams of personal information, just how worried should users be about the security of their device?
“We’re at a point where our smartphone contains most sensitive information than our PC,” James Lyne, global head of security research at Sophos told TechWeekEurope at Mobile World Congress (MWC) in Barcelona.
“If you talk to users about their feelings for (mobile) devices…the trust levels are extremely high compared to traditional computers – and there’s a very strong feeling of trust towards app stores.
“But when you actually analyse whether that trust is deserved, it’s quite fragile, and we’ve got users expecting one thing, but receiving another – and that gap is only widening.”
Recent research from Sophos suggests many popular mobile apps still have significant security flaws – such as not storing login details correctly and what Lyne calls the “incompetent use” of secure connections.
He said much of this is down to developers being too focused on a ‘build fast, build hard, ship’ mentality, as many consumers will appreciate new and shiny features over improved security precautions.
“It’s probably not a huge surprise…but maybe it’s time some of those companies start doubling back and asking themselves questions about security,” he explained.
“It’s important that developers continue to focus on secure coding practices – it’s been said a lot, but building security in as you go is a hell of a lot cheaper than retrospectively adding it in later…we’re building some serious ‘tech debt’ in this industry, which at some point, someone is going to have to pay a price for.”
Lyne highlighted a “glacial” change in security awareness among mobile users, as many people remain unaware of the best way to stay protected whilst using their devices, preferring instead to safeguard their work or personal computers.
“I’m not saying that your scale of danger from malicious code on an iPhone is on the same scale as a PC – that’s absolutely not the case,” Lyne said. “But there are small kinks in the armour that are very concerning.
“(Smartphones) have grown so quickly from a simple black box that you can use to make calls and nothing goes wrong, and there’s not a huge risk, to a device that in some cases even has access to more information than a laptop….and our psychological attitude to this device has not shifted as consumers, or small businesses – so our alertness to the fact that we may be attacked is way less.”
Lyne (pictured below) was also at Mobile World Congress to discuss the increasingly important issue of securing the Internet of Things.
As companies race to be the first to release a smart, connected, product, from fridges to kettles to socks, this race to launch can often mean that security is left behind. This is a worrying thought when it concerns a device that can gain access to some of your personal data, and Lyne is nothing but blunt when it comes to the current state of the IoT security market.
“Everything is bad.” he said. “The best way to summarise [the current state of IoT security] is – it’s a mess.”
In order to carry out his own analysis, Lyne spent around £5,000 on buying IoT-enabled devices to evaluate their security, and found that many products were severely lacking in even basic security protection.
“Many of the IoT devices I looked at were tragic, embarrassing and negligent,” he says, “It makes you question, who the hell is writing these things?”
Fortunately, the average consumer is not immediately under threat from these lax attitudes, as many connected IoT devices are pretty uninteresting to attackers – at least for the time being.
However, this perspective may soon change as more and more devices are sold, with Lyne pushing for the industry to work out the kinks and begin properly installing security precautions whilst many IoT devices are seen as gimmicks or toys.
Only this, coupled with a growing consumer awareness about possibly low security measures, can help spur on the IT industry into ensuring the IoT remains safe for all.
“When I see the level of investment that some cybercriminals put into modern-day exploits against the browser, against Microsoft’s operating systems, that have invested so heavily in security – it’s pretty easy to see that as soon as it becomes interesting, we’re going to get a very nasty data breach,” Lyne warned
What do you know about the Internet of Things? Take our quiz!