In addition, 36% of engineers said that when they brought device security issues up to their management, they were ignored, according to a survey of 800 device software and hardware engineers by Mocana and UBM.
“These results shocked us. We really weren’t expected that”, said Kurt Stammberger, vice president of market development at Mocana. “We are close to these companies. We work directly with these manufacturers.”
“This is scary because a lot of these devices are used in critical contexts….Most of the people in this survey were folks building other types of connected devices [besides smartphones], devices like industrial automation, medical, automotive, avionics, and military devices. So it concerns us that such a significant percentage of engineers knew about security problems that haven’t been disclosed and that when they surface problems to their companies, the problems are often not addressed before the device is shipped”, Stammberger told Infosecurity.
Stammberger offered his opinion as to why engineers are having such a difficult time getting management to listen to their security concerns. Until recently, “nobody worried about malware on embedded systems. Nobody worried about hacking into smart meters. It hadn’t bubbled up to the public consciousness yet. And many of the device populations hadn’t gotten large enough to be interesting to hackers to attack.”
Within the last two years, there has been explosion of devices connected to the internet. And these devices have become “juicy” targets for hackers. “The management of the design teams at these companies isn’t really up on how fast the security threat is moving and how imminent the security problems are with devices”, he opined.
The Mocana survey also found that only 41% of engineers surveyed believed that their company has allocated sufficient time and money to secure device products against attacks. “The guys on the frontline are not comfortable with the devices they are producing. They have been trying to sound the alarm to management, but so far, they have found management unresponsive”, said Stammberger.
Only 39% of engineers responded that they have good access to embedded security expertise when they need it. The Mocana official attributed this finding to the dearth of qualified device security professionals in the marketplace.
Stammberger said that the solution to improve device security is to raise awareness within these companies as well as in the public at large. “Industry needs to look at itself in the mirror and ask, ‘Are we doing the things we need to do to be considered good corporate citizens?’…For the time being, industry needs to police itself.”