Welcome to the first in our series of blog posts on the Internet of Things (IoT), where we’ll discuss security considerations when it comes to IoT devices.
When it comes to the Internet of Things, I believe in one simple mantra: the smarter the device, the dumber the security vulnerabilities. Now, it’s not because I’m an analog-loving hipster or cantankerous luddite (I’m just a curmudgeon), but because of the overwhelming amount of engineering work that needs to be done in order to secure a device.
The reality of bringing a product to market is that the engineering effort is focused mainly on product features with security as an afterthought, if it’s even a thought at all. After all, most consumers are looking for slick features when they buy a product, not whether their data or privacy are secured.
Security engineering lives in a paradoxical world where the individual steps to build security are simple, but the process of applying security within an organization is a monumentally difficult, even Sisyphean, task. Ultimately, the result is in a neat shiny smart device, which is shipped to consumers with really dumb and obvious vulnerabilities that end up launching a distributed denial of service (DDoS) against the Internet. Who loses in the end? The consumers. Occasionally, the vendor also suffers brand damage and a loss in sales.
Here are a couple of questions you should ask before making your next IoT purchase, to make sure you’re not unnecessarily exposing yourself and your family to random strangers and/or malevolent actors in the Internet:
The first question that should be on your mind is, “does this device really need an Internet connection?” For example, an Internet-connected security camera’s value proposition is that you can monitor the video stream remotely. That’s not something that can be offered without an Internet connection – without the connection, you’d only be able to review the recorded video when returning from a trip.
By comparison, though, does a juice pressing machine really need to connect to the Internet to tell you the prepared bag of produce is expired? It’s a value proposition that can be easily replaced by a printed expiration label. In other words, it’s a gimmick that doesn’t affect the usability or usefulness of the product.
Similarly, when it comes to “smart” door locks, is it enough that a lock communicates locally with your phone via Bluetooth with a range of approximately 30 feet, or do you want to be able to remotely unlock your front door while you’re across the globe? I personally don’t want my door opening to my home while I’m gone, so I don’t want to pay for the extra costs of incorporating Internet connectivity into my smart lock and at the same time increasing my risk and exposure.
Perhaps, though, you want to be able to unlock the door for a friend who watches your pets while you’re on vacation. With that convenience comes a potential loss in security.
In the end, just remember: if it’s on the internet, it can and will be hacked.
The key to this question is really to check if there’s an appropriate non-Internet substitute to provide the same functionality and value for your needs. A non-Internet-connected device is inherently more secure.
Once you’ve decided that the device really does need Internet connectivity to perform its services, the next question to ask is, “What data is it collecting?” That fitness tracker could be tracking your vital signs like heart rate and O2 levels, but it could also be tracking your location via GPS.
As a cyclist, that bike ride didn’t exist unless it gets uploaded into Strava (on the bright side, the food I consume doesn’t exist unless it gets shared on Instagram, so those calories don’t count). A fitness tracker accessing GPS data is acceptable for tracking routes, but that “smart” water bottle doesn’t need location information just to let you know when the next time to take a drink is.
It’s crucial to understand exactly what raw data the IoT device is recording, beyond the obvious for its intended purpose. From there, we can deduce what kind of intelligence can be derived from the data.
For instance, it makes sense for a dongle provided by your auto insurance company to capture telemetry related to your driving style, to make sure you’re not racing on the streets trying to be the next Michael Schumacher. But what if that dongle had a discreet microphone and recorded audio in your car? Could that audio recording then be used to prove you were talking on a phone while driving, which is now a crime in some states? Or will that audio recording eventually find its way onto an unsecured webserver, so everyone can download your off-pitch singing to the latest Justin Bieber song? You better “beliebe” it.
Along the same lines, the GPS location reported back to your insurance company could reveal that you routinely park your vehicle in a location with a high rate of auto theft activity, which would increase your insurance rate, negating the whole purpose of letting your insurer invade your privacy in the first place.
We might be a long way off from the killer robots of “Terminator,” but it’s not a huge mental leap to believe that your smart device can and will eventually betray you.
The next logical question is, “How is that data stored and used?” For Internet-connected devices, just about every manufacturer will tout that they use “military grade encryption” or “bank grade security” to protect your data. Those phrases are actually just marketing speak for the advanced encryption standard (AES) algorithm, a well-known and tested algorithm that provides strong guarantees.
Back in the paradoxical world of security engineering, encrypting data is easy: pick an accepted cryptographic software library, pick an appropriate algorithm, and use it. The difficultly comes in trying to prevent that hot-shot developer from coming up with his own cryptographic scheme, which will ultimately contain many known cryptographic vulnerabilities, as well as implementation flaws.
The key to encryption is Kerckhoff’s principle, which states that the cryptography will be secure as long as the encryption key is kept private, even if everything about the system is public knowledge. This is an often-overlooked aspect of encryption because the real secret is that encryption key management is hard. Hardware security modules (HSM) exist to help manage the difficulty of protecting encryption keys, but they are exceptionally pricey.
Essentially, what that means is that while encryption sounds highly secure and unbreakable, that’s not necessarily the case and it’s certainly not a security panacea.
Sometimes, though, it’s not even the IoT device itself tracking your personal information, but the corresponding companion smartphone app that is quietly grabbing all the data and metadata in the background. I predict we will continue to see a steady stream of reports of customer information being exposed on the Internet for anyone to find.
Online gamers learned this lesson the hard way, as game studios often shut down one after the other like dominos and take their servers down with them, effectively making their video games unplayable. For some games, the online component only served as a form of digital rights management (DRM) to ensure the player had a valid copy of the game, and yet because the DRM server was taken offline, the copy is now unplayable, rendering the expensive game disc less valuable than an AOL free trial CD.
Annoying? Absolutely. But what about your data security and privacy?
The online component of an IoT device is typically a set of servers or virtual machines running in a nebulous cloud, listening for the devices to phone home, upload data, and perform some computation. (Why do we call them “smart” devices when the brains of the device are actually a hive mind running in the cloud?)
So, what happens to your fancy new IoT gadget when the online component is shut down permanently? For some unlucky consumers, it means they just spent their hard-earned money on a fancy paperweight, or perhaps a warm steel box for the cat to perch on. In fact, the business doesn’t even have to shut down - it can be acquired by a technology giant which then proceeds to takes an axe to the metaphorical brainstem of the hive mind.
It might have been easy to rationalize the decision to purchase an expensive IoT device on the grounds that it should provide you with multiple years of service. Unfortunately, that’s not the case if the company behind it closes shop and packs up the brain behind your “smart” device - and then (to add insult to financial injury) sells off your personal data as part of the acquisition or liquidation process.
Finally, the last question to ask is, “What is the manufacturer’s track record: have they been breached before and how do they respond to security issues?”
It’s important to understand the maturity of a company’s security culture, which can be highly varied, based on company priorities. Signs of a mature security culture include:
Companies with a mature security culture can detect and respond to security incidents quickly, to minimize impacts to your privacy. They should also then deploy the appropriate fixes to prevent future incidents from occurring, while the rest continue to repeat the same mistakes and leak your private information like a firehose.