IoT Security - If You're Thinking Only about IoT Data Protection, You're Seeing Only Half the Picture

Have you walked into the garage or basement at your parents’ house lately? Can you wrap your head around all the things in it? Tools, bits of furniture, buckets of bolts, paint cans, old bicycles, auto parts, file boxes, holiday decorations, gardening equipment... I don’t care how well organized it is, it’s almost certainly a lot of, well, things.

          Photo credit: Bill Smith  CC BY 2.0

 

I bring that up because a lot of people are ignorant of (or in denial about) the security ramifications of IoT and all the connected Things they’ll have. “I’m not worried,” they say breezily. “All I have is my smartphone and my computer. They’re secure and my data is protected. Besides, they’re not on the Internet of Things.”

Bull. If you’re thinking only about the IoT data protection I described in my previous post, you’re seeing only half the picture.

First, it’s shortsighted not to think of your phone and your computer as part of the Internet of Things.

True, a number of Things in your home or workplace will communicate with one another directly. For example, your smart door lock may turn your smart lights on and the copy machine on your floor may send an order for toner to your supplier’s server.

But don’t forget that IoT hardware vendors want their Things to be as flexible as possible, so they let you use your phone and PC to configure the Things around you, whether directly or over the Internet. You end up with configuration data, cookies and other bits on your devices that reveal your use of the Things and maybe even identify you, your house or your place of work.

Next, just like all the things in your parents’ garage, you’ll eventually lose track of your Things.

“Hey, Dad, may I borrow your sledge hammer this weekend?”

“Sure. It’s in the garage.”

“Yeah, but where in the garage?”

“You know, in the garage.”

He doesn’t know where it is. He lost track of it sometime in the 1990s. You too will lose track of your Things.

Sure, at first all those connected Things around you will be numerous and novel, and you’ll wonder how you ever got along without them. Your life will be a 24-hour-a-day, voice-activated, real-time, remote-controlled, self-running adventure. But in time, and with the advent of new Things, the older ones will fade into the background. Once the blush is off the rose, their connectedness won’t be that big of a deal to you anymore.

Don’t believe me? Stop and think: How many Bluetooth headsets would you find if you went through all the drawers in your house and office right now? How many poor, dead phones (cellular and landline)? How many digital cameras? At the time, they were just as gee-gosh-gotta-have-‘em as the connected audio system you’re saving up for now, weren’t they? But today they’re just lost toys, like Woody and Buzz at the Dinoco gas station.

Also, unlike the bowling ball and Chevy axle in that corner of your parents’ garage, your Things will still be connected and addressable. Sensors will still be sensing, monitors will still be monitoring and signals will still be moving for some time after you’ve stopped paying attention to all the usefulness you derive from them. And even after that, they’ll still contain data.

Finally, all that connectedness is a double-edged sword.

For you, IoT will represent a new level of harmony and convenience. But for a lot of people, “IoT” stands for “Internet of Temptation,” and they can’t resist the interesting technical challenge of getting into your Things. Consider a few conspicuous targets:

  • Vehicles – On proprietary networks, connected cars are not so vulnerable, but the automotive IoT is looking more and more like the Wild West. When the manufacturer’s app designed to let you control physical functions of your electric vehicle also lets you control anybody else’s, is that cause for alarm? We believe so.
  • Televisions – Set aside the fact that cable and satellite providers know exactly what you’re watching and when you’re watching it, and that they’re probably making a nice side business out of selling that information to advertisers. What’s more worrisome are the microphone and camera in a smart TV, which represent points of vulnerability and exploitation. (Fortunately, the manufacturer discloses the vuln in its privacy policy.)
  • Routers – The wireless router or access point is becoming the unsung hero of in-home IoT. It shuttles messages among devices and to/from the Internet. You and I have every reason to hate our router because it’s an ugly, inscrutable box, so we use Wi-Fi Protected Setup (WPS) to connect our devices, especially our TV. WPS is known for its PIN brute force vulnerability, however. Do you mind sharing your wireless network with a few dozen kids in your neighborhood?

Mind you, these conditions all start out as good, old-fashioned ineptitude or an honest mistake in the manufacturing process. But the Internet of Temptation comprises millions of people around the world with absolutely nothing better to do than to find a vuln or two and see what they can get away with. As we continue to buy inadequately secured vehicles, televisions, routers and Things, the attack surface will continue to grow and the fun of IoT will become mired in worry.

Seeing both halves of the picture

“If these walls could talk,” as the saying goes.

Someday, they will talk, so you can either be careful about what you say when you’re among them or make sure that they can’t talk to anybody but you.

That’s how the security side of the IoT picture looks.


Anonymous