Content Protection Expert Stresses IoT Vulnerabilities at CPS

Spencer Stephens, the former, longtime CTO of Sony Pictures Entertainment and founder of cybersecurity consulting firm Spencer.Media, wishes everyone involved in the IoT (Internet of Things) world would consider the “T” in “IoT” as “Threat.”

For much of his professional career, Stephens has learned that the biggest threats are those you’re not even aware of. All the firewalls and known risks you’re prepared for mean absolutely nothing when hackers are coming at you from new angles. And with more hardware devices than ever before connected to the internet, the list of threats has grown exponentially.

“If you have a system connected to the internet, and it has a vulnerability, someone will find it, and exploit it,” Stephens said Dec. 6, speaking at the Content Protection Summit in Los Angeles. And, the scary thing is, it’s no guarantee manufacturers will be up front about the vulnerabilities of their devices, with many producers of IoT devices showing little interest in preventing the problem of exploits, leaving it to the business or individual. “Nobody has ever lost a sale because their device was not secure,” he lamented.

There are entire web sites out there devoted to discovering, listing and exploiting flaws in devices. Stephens shared with the hundreds attending the event a search result for one site, where he did a search for “hacked routers” and turned up roughly 35,000 devices. That’s just one example of the concept the threats you may not even be aware of, he said.

Security has to be renewable, Stephens stressed. What you own is, in all likelihood, going to be hacked, and what you need to be able to do is adapt. He remains a big fan of DRM, where you’re able to revoke a device that’s been hacked, so it’s no longer able to receive content. And with an IoT device, you have to consider, somewhere in your plan, that you need to disconnect it, he added.

But, the problem there — and you saw it with DVD players, Stephens said — is that manufacturers didn’t have long-term updates in mind for years down the road, and the same is being seen with early IoT devices. IoT devices may be on version 1.01, and “they’re three years old. They’re still manufacturing it, but they’ve seen no reason to update the firmware since then.”

Treat your IoT device protections like you would a mechanical lock: once someone’s picked at, possibly broken it, change (update) the locks. And always answer this question for yourself before employing any IoT device: Are you going to get it fixed if it breaks?

The Content Protection Summit was produced by MESA and CDSA, presented by MediaSilo, and sponsored by Independent Security Evaluators, Aspera, the Digital Watermarking Alliance, Menlo Security, Microsoft Azure, NAGRA, NexGuard, Convergent Risks, HGST, PwC, Thinklogical, Avid, Militus Cybersecurity Solutions, Amazon Web Services and Bob Gold & Associates.