IoTing ‘things’ is not the problem. It’s the lack of good security in worlds where ‘things’ are made and used.
A post inspired by one Dave Waterson (Founder and CEO of SentryBay) published on LinkedIn today:
Great title and great post. In it he talks about Jack and Jill’s adventures with their IoTed fridge. It highlights all the hugely helpful capability on offer.
His caution; It must come with good built-in security and options to limit data sharing and inter-device operation to suit users’ needs. i can’t agree more. Too often a rush to market or ‘helpful’ add ons leave multiple holes and demand far too many permissions and accesses. A parallel to often ropy and privilege sucking apps.
But it’s bigger than that. It’s about control and knowledge gaps in the worlds those ‘things’ get designed in, and delivered into. Let me illustrate by exploring Jack and Jill’s fridge fun a little more;
No Fridge Is An Island
One day Jill gets an email from the fridge manufacturer with a link to update fridge software. She clicks, thinking nothing of it.
The next day her bank calls to flag potentially fraudulent activity on her bank account.
It is linked back to her fridge app jumping onto public Wifi triggered by systems at the supermarket. New screens on shelves which interact with the app to recommend recipes. It prompts logon to check stock at home of complimentary ingredients to make a particular dish. That enables the spoof or hacked Wifi access point at the supermarket to scoop credentials and store them, or broadcast them to a listening server.
Credentials are tried against common retail and social media sites. They were reused in 4 places. That yielded a treasure trove of information to directly exploit sites and craft precisely targeted phone scams or phishing mails.
The emailed malware, masquerading as a fridge software update, exploits weaknesses in poorly designed programmes. Mainly the software Jack and Jill downloaded to collectively control all the smart home IoT devices. It quietly evades malware detection tools (if they are there and updated) because it’s built to mimic permitted processes.
It’s into email and other online retail and social media sites, scooping contact information to share itself around. An initial spending spree triggers the bank alert, but the watching code sits tight hoping for juicier prizes to sail across the uber connected home network, the alarm system deactivation code perhaps.
It must look like I’m ‘being’ the FUD problem (and it’s entirely possible I’m off track with some of the potential for exploitation), but no risk can be considered without it’s context.
Things must (as Dave said) come with options to limit their access and data sharing. But the real life context, where planned benefits will be reaped, has to be more secure to balance opportunities with risks. No matter how bright and shiny our increasingly connected world, good old basic security remains our friend. In my little skit:
- Caution using public Wifi,
- 2 factor authentication
- Not reusing passwords and finding easier ways to set and remember good ones
- Updating software
- Software vendors designing secure apps that don’t grab unnecessary permissions,
- Phishing and vishing awareness
- Having and updating endpoint protection
…and all of the other customer and vendor side controls necessary to safeguard data collected via new windows into every corner of our lives.
What do you think? Is there any way security education and protection for the general public can keep up? Will IoT vendors self-police to ensure a good standard of security for shipped devices, associated software and lakes of collected data?
Don’t hate technology, don’t fear innovation, but do look round the edges at context and implications in our real imperfect world. I for one am keeping faith we’ll persuade at least some business and users to check and do simple things to stop costs outweighing the undoubted benefits.