Internet of Things heading towards its 'Melissa moment', warns Bastille CEO Chris Rouland

It's only a matter of time!

The Internet of Things (IoT) is heading towards its own "Melissa moment"* - a worm or virus that can replicate across devices, causing havoc as it goes.

That is the warning of Chris Rouland, speaking at the Kaspersky Lab Security Analyst Summit in Tenerife this week, who entirely coincidentally happens to be CEO of Bastille, an IoT security company.

Rouland claimed that a combination of factors make connected devices especially vulnerable to a Melissa-style worm.

First, the security of many devices is lackadaisical at best. Many lack even rudimentary security and those that do often use proprietary models that haven't undergone the rigour of third-party testing. Some do deploy encryption, but use a hard-coded encryption key rendering it worthless.

"Many of these devices are implemented or built with homegrown encryption that hasn't been reviewed," Rouland said. "Proprietary encryption is always a bad thing, it never works out."

Second, the price of tools such as packet sniffers has dropped from thousands of pounds to mere handfuls of pounds, enabling a much wider range of potential miscreants to eavesdrop on network traffic. Ipso facto, that means there's also no excuse not to test products, especially ones deployed in a corporate setting. "CIOs have no idea, no one does really, what's in their airspace unless they have the right tools to go looking," said Rouland.

And it's not just start-ups rushing to get products onto the market that are cutting corners. Rouland cited a supposed smart refridgerator - perhaps not dissimilar to one Samsung showcased at the Consumer Electronics Show last month - which connected to people's Google calendars and failed to validate SSL certificates, making it vulnerable to man-in-the-middle attacks.

Even worse, it also left login details vulnerable to anyone who could access the Wi-Fi network over which it was connected.

And, he confirmed, the privacy aspects are also a cause for concern. "You need to think far beyond Wi-Fi and about the amount of privacy data being sucked up ad infinitum," Rouland said. "When you click on the user agreement, you agree to become the product."

* Melissa - strictly speaking, "W97M.Melissa.A" - was a self-propagating Microsoft Word macro virus that was released into the wild in March 1999 by American David Smith. At one point up to one-fifth of the world's computers were estimated to have been infected with it.

Computing's Internet of Things Business Summit 2016 is coming! Book early to avoid disappointment - attendence free to qualifying end users