How to secure devices after support goes away

A good indication that a smart device is about to become useless, according to CrowdStrike Global CTO Elia Zaitsev, is when the company behind a shiny new product goes dark, consigning all future updates and functionality to the wind.

That can mean a serious problem under certain circumstances.

“It’s one thing if we’re dealing with a child’s toy, but for dealing with critical infrastructure, medical devices—they need to be designed and sold from a commercial operational perspective with a concept of how we operate these devices on a long-term basis,” Zaitsev told IT Brew during an interview in April at RSA 2023.

It’s not a new problem. British smart-home company Hive stopped the US and Canada sale of devices—specifically home cameras and security systems—in 2022 and will phase out services over the next few years, with the support reportedly fully ceasing in 2025.

There’s no recourse for customers who want to continue using the products, making it “an uncomfortable reminder that ownership of any device tied to a service can be bricked whenever a company’s priorities change,” as The Verge put it last year.

Function of change. Zaitsev, who has been with CrowdStrike for over 10 years and as global CTO since February, believes that a shift in mindset around functionality is sorely needed. Unserviced devices are threat actor vector points that can be exploited to access the car, factory floor, or even energy resources.

Passing the cost on to the consumer may be standard operating procedure, but that’s not sustainable in the long term, Zaitsev said. Rather, security by design should be part of the development process and have a transparent pricing model.

“We need to make sure that those costs are kind of built into the economic model, and they’re transparent, so that we can potentially have the features built in there, things like robust audit, logging, the ability to securely update these systems and vulnerabilities that are detected over time, the ability to instrument them, and get telemetry,” Zaitsev said.

Shifting the mindset includes regulation to ensure that companies are held accountable when they don’t live up to their obligations with respect to repair and updates. The solution? Zaitsev believes it’s found in government regulation.

“I think this is, frankly, probably more of a legislative policy type area to an extent,” Zaitsev said. “But if security is mandatory, that’s a very different scenario versus [it being] an optional add-on that I’m going to charge you extra for.”