Security is a Process, but Products are Products

There’s a saying, “Security is a process, not a product”. But companies don’t ship processes, they ship products.

Now, when you buy some products, you’re also buying the process. If you’re running Windows, Mac OS, iOS, the Xbox 360, or a PS3 (to cite a few examples), then assuming your device is online and keeping up with updates, the vendor is producing updates and you are downloading and installing them. That’s the process.

There are a few problems with this, but the one I’ve been thinking about lately is the proliferation of devices that are coming with network connections, and the lack of attention they get from the vendors. They shipped a product with a set of features, and their solution to a problem in the current version is to fix it in next year’s model.

I’m thinking specifically of something like my TV. It supports Netflix and YouTube and a number of other online services, and it’s plugged into my network.

Is whatever OS is running in the TV secure? I have no idea, but I know from experience that the software embedded in this sort of device generally doesn’t get much security scrutiny. It may be running an embedded Linux or some other OS that is reasonably secure, or was when it was burned into the firmware, but new vulnerabilities are found all the time. Did the device patch itself against the zlib vulnerabilities found a few years ago? I doubt it.

It might sound like the stuff of science fiction but more and more devices are getting connected and running software. And any one of these can be exploited.

If my TV was compromised, how would I even know it? Maybe it’s a part of some massive TV botnet. Smart hackers can get your devices to do their bidding without you knowing it, and it’s quantity, not the power of each individual node, that makes for a dangerous botnet.

Think about all the Android phones sold by vendors that aren’t issuing updates for those devices. There are millions of them out there. Give an evil organization a million machines on a botnet and they can take down a good chunk of the Internet.

Scary stuff.

The only solution I can think of is a system where a machine has to have some sort of valid “allowed to access the network” ticket that is automatically invalidated when an exploit is found for that machine. Packets would carry that ticket and upstream network providers (like maybe your home gateway, and then your ISP) would drop packets that came from exploitable devices (whether they’d been exploited yet or not).

Maybe this would force the process on companies that just want to sell a product.