Everyone talks about “The Internet Of Things” (IoT), whether it is a web accessible security camera or your internet connected refrigerator that tells you when you are low on milk. Recently, a stalker talked to a nanny while she changed the baby’s diaper. We have also seen home routers with vulnerabilities that allow a hacker to take over the router and do things like inventory the devices on your network or watch all the traffic going in and out of your home or business. What people don’t talk about the security of the IoT, or the lack of it.
One ex husband bragged about having his ex wife and her boyfriend wake up to a 40 degree house in the winter because she did not change the password to her Internet connected thermostat. After she went to bed, he turned off the heat and just before she woke up, he turned it back on. In the summer, he turned off the air conditioning.
But these are all child’s play.
The bigger problem is that for many homes and businesses, the Internet based devices are on the same network as your laptops, tablets, phones, desktops and even servers. Which means that when that IoT device gets hacked, everything else on your network is at risk. Fundamentally, this is very similar to how the Target and Home Depot attacks happened. In those cases, it wasn’t IoT devices, but the attackers found vendors who had access to the network, attacked them and used their access as a foothold to attack the bigger network. Between them, 100 million credit cards and 100+ million email addresses were compromised.
Is this going to get better? Not likely, at least not anytime soon. When a refrigerator manufacturer decides that in order to be competitive they need to have a web interface, they are going to go to the market and see where they can buy that software for as little money as they can. They are not going to look for the most secure web interface they can find, because they are not liable if your refrigerator gets hacked. Read the software license agreement that comes with your refrigerator. They are also not going to set up any way for your to patch your refrigerator. They don’t want to spend the money, don’t have to and would have to support users who have problems updating their refrigerator.
Recently, my dishwasher broke. The repairman came in, took out his laptop and an ethernet cable and plugged the cable into my dishwasher. After a few clicks, he pronounced that the pump was broken and went out to his truck to get a new one. He never even turned the dishwasher on until he was packed up. The good news is that the dishwasher is not always connected – only when the repairman came, but soon that will change because the manufacturers want the data of how you use your dishwasher and when.
For 30 years, at least, IBM mainframes have been connected to a network and would phone home when they were feeling piquish. I remember IBM repairmen knocking on my door to tell me that they were here to fix my IBM System 370. Why not your dishwasher? Sounds like a great incentive you get you to sign up for a service plan (for a nominal fee) and for them to get you to give them your data. Actually, this is a bit worse than Google. With Google, you give them your data for free. In this case, you PAY them to take your data.
Bruce Schneier was interviewed on this subject this month. He said you should be worried, but there is nothing you can do (see article). I am not quite as pessimistic as Bruce is in this case (that’s unusual for me), but I agree it is a real challenge.
That doesn’t even begin to talk about the privacy issues. Someone is going to want to know when your refrigerator tells you to buy milk so they can serve up ads for milk. All that data will get sold and or given to marketers and/or the government. It is guaranteed to happen. Here is an article on this part of the subject entitled Check your privacy at the door. The writer suggests that:
- The data will get sold to marketers (that’s pretty obvious)
- The data may get used against you in court. An example of is a current accident case where the victim says she was injured. The insurance company is going to use her FitBit data to see if that is really true.
- Hackers will use it to “own” you. HP says that 7 out of 10 IoT devices have some kind of security flaw with an average of 25 vulnerabilities per device.
There is not a lot you can do about it unfortunately. Certainly, you should use what features you can – change the default password, disable features that you are not using, etc., but the IoT is kind of like Windows was around 1996. And that is not very secure.
For businesses and sophisticated home users, you can isolate the IoT devices from the rest of your network. At least all they will be able to do is hurt each other that way.
Right now, it is not a huge problem because the number of smart thermostats, lightbulbs and cameras is relatively small, wait a few years until there is an iBulb or iThermostat and I might not be positive.
One thing you might consider. There are now door locks that you can unlock with your smart phone. I suggest that if you can do that, so can a hacker. And, if you come home, find the door unlocked and no forced entry, will the insurance company pay for what is missing or call the police on you? It’s a brave new world.
And we are only on Chapter One.