Critical security flaws could lurk in smart devices from a quarter of all manufacturers

Survey of engineers shows 24 percent have shipped products with undisclosed security gaps

Being an engineer at a consumer products company is tough. The need for speed is so great, the influence of attractive design so critical to the success of any product, the logistics of getting it manufactured, shipped and into stores before it is obsolete so oppressive that there is no other choice than to let good(ish) products go out the door without the final buff that would turn them into great ones.

In many cases, it turns out, the final buff is the one that would prevent simple security problems that are often very costly to the customer.

A survey of 800 engineers and developers who work on embedded devices outside the PC market showed only 41 percent thought their employers spent enough time and money to making products secure.

Despite a 60 percent underfunding rate, 64 percent of the engineers said their companies do address security problems when engineers point them out and the flaws are addressed before the product is released, accoording to the summer, 2011 edition of Mocana's quarterly report (PDF)

These are devices such as smartphones, computerized medical devices, remote-controlled robots, computerized storage structures, monitors, printers, smart monitors of electrical utilities and the like.

It was conducted by Mocana, which develops software for mobile devices and computer peripherals such as VoIP phone systems.

Three years ago there were so few attacks on iPhones, Android phones tablets and other devices that lax security on an embedded system wasn't a product killer.

Now the malware and direct attacks are so common it's irresponsible to put one out without auditing its security, the report said.

Specialists in security for embedded systems are so rare that only 39 percent of respondents said they had access to a staffer or contractor to call on when those skills were needed, even though 58 percent said their companies put a high priority on making sure the security of their products was good.

Sixty percent said they definitely didn't have access to those skills.

The pressure of shipping, design, cost of delays, cost of remediation, cost of hiring security skills that don't exist in-house mean that, no matter how much the company or engineers would prefer otherwise, unsafe products go out the door all the time.

A quarter of respondents to the survey said they personally knew of a product their company shipped in full knowledge of a potentially serious security flaw that was left unaddressed and that had not been disclosed to customers or the public.

More than 2,000 threats to non-PC devices have been documented so far in 2011, but that number is growing twice as fast as the number of threats to PCs.

The result?

"The device industry will likely have only 24 months before security problems start to ose serious financial and existential threats to device-based business models," the report concludes.

Beware your smartphone. And your printer. And your storage system. And, whatever you do, don't turn your back on that way-too-smart office coffee machine. Even if it's not infected yet, it's way too complicated not to be self aware enough to be plotting mayhem.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies