In a post-Christmas shopping spree, my husband brought home "an amazing deal" - a Ring doorbell bundled with an Amazon Echo. He had no intention of using the Echo, but he was super excited to protect our homestead with the Ring, and to join the neighbours in providing unauthorized surveillance for the neighbourhood.
After a conversation about surveillance capitalism, documented issues with Ring itself and a hard look at the real crime stats for our neighourhood (which are negligible), he reluctantly returned the products to an astounded Best Buy clerk who couldn't believe we were passing up this "great deal"! While Ring didn't make the cut, we both got other Wifi compatible appliances for Christmas that we are choosing not to connect to an app. As we move further into the Internet of Things (IoT), we may find that our only choices for everyday consumer goods are "smart", but these devices may also increase security vulnerabilities.
Click Here to Kill Everybody
I've just finished cyber-security expert, Bruce Schneier's admittedly click-baity entitled book, Click Here to Kill Everybody: Security and survival in a hyper-connected world. Schneier's role as a cyber security expert is to be hyper-aware of security risks, think like a hacker and advise clients on their security vulnerabilities. The book takes that approach to the Internet of Things, which encompasses everything from critical infrastructure, to business applications to consumer good like thermostats, toys and household appliances. In many cases, it's these consumer goods that are the weakest link when it comes to security.
Hacked via a fish tank
One of the many incredulous stories in the book is about a casino who's high roller database was breached by hackers through their fish tank thermostat. The smart tank was connected to the internet to monitor temperature, food and water levels, giving hackers a point of entry to the casino's local network that contained the sensitive data. Businesses are advised to segment their network in order to isolate information between systems and to mitigate risk. However, in our homes, we typically have one network through our Wifi router.
Poorly written and insecure
Part of the issue with securing software is how we develop it. It's standard practice to release a product that's tested as being good enough or in some cases, with some known bugs. We then roll out patches or fixes. Major software developers, like Microsoft and Apple, are vigilant about sending out updates on a regular basis. They have teams of engineers dedicated to this task. IoT software doesn't work this way. In fact, there is little incentive for IoT makers to develop patches for relatively cheap products like a toaster or coffee maker. If a patch is available, its not seamlessly pushed out to consumers in the same way as patches for our computer or phone.
Insecurity at scale and distance
When software fails, it does so at scale. It's a binary, "class break" situation - everything works or everything does not work. One of the stories in the book is about a company that makes key less door locks for hotel rooms. A software vulnerability was discovered for this lock but the fix had to be applied door by door not just to the main server. This lock was on thousands of doors in hotel rooms around the world. It took years to fix and during that time these hotel rooms were vulnerable. The irony in this case is that while the fix needed to be applied locally, the hack could take place from a distance. This is another way that cyber-security is different from regular security, hackers can come from anywhere.
Your phone is a single point of failure
For most IoT consumer goods there is a corresponding app. That app uses the authentication system on your phone as your log in. While phone software is kept up to date, there are ways to hack it and the more your phone becomes the control panel for other devices, the more vulnerability you face.
Where do we go from here?
A long time ago, we added electricity to consumer goods. It's hard to imagine, but I suspect that until safety regulations were in place, consumer goods were fraught with dangers in the wiring of the devices or switches that didn't work properly causing a fire hazard. While there is some corollary between electrification and what we are facing today with connected appliances, it's not exactly the same. We now face a susceptibility to being tampered with by bad actors. The risk isn't isolated to the single device. Its connected to the network in which that device resides, which increasingly touches everything in our lives.
It's still early days for IoT devices. While Schneier points out a number of policy solutions to make the system better, he predicts that nothing will be done in the US until there is a major catastrophe or a new generation comes to power. Sadly, I think he's probably right. In Europe, however, he points to the GDPR as a sign of progress. In the meantime, we can still make choices to decide how much connection we want to enable.
Schneier, B. (2018) Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. W.W. Norton & Company. NYC, NY.