Featured

Security Round The Edges Of The Internet Of Things

IoTing ‘things’ is not the problem. It’s the lack of good security in worlds where ‘things’ are made and used.

A post inspired by one Dave Waterson (Founder and CEO of SentryBay) published on LinkedIn today:

The ascension of man over fridge

Great title and great post. In it he talks about Jack and Jill’s adventures with their IoTed fridge. It highlights all the hugely helpful capability on offer.

His caution; It must come with good built-in security and options to limit data sharing and inter-device operation to suit users’ needs. i can’t agree more. Too often a rush to market or ‘helpful’ add ons leave multiple holes and demand far too many permissions and accesses. A parallel to often ropy and privilege sucking apps.

But it’s bigger than that. It’s about control and knowledge gaps in the worlds those ‘things’ get designed in, and delivered into. Let me illustrate by exploring Jack and Jill’s fridge fun a little more;

No Fridge Is An Island

Copyright : Anton Deviatnikov

Copyright : Anton Deviatnikov

One day Jill gets an email from the fridge manufacturer with a link to update fridge software. She clicks, thinking nothing of it.

The next day her bank calls to flag potentially fraudulent activity on her bank account.

It is linked back to her fridge app jumping onto public Wifi triggered by systems at the supermarket. New screens on shelves which interact with the app to recommend recipes. It prompts logon to check stock at home of complimentary ingredients to make a particular dish. That enables the spoof or hacked Wifi access point at the supermarket to scoop credentials and store them, or broadcast them to a listening server.

Credentials are tried against common retail and social media sites. They were reused in 4 places. That yielded a treasure trove of information to directly exploit sites and craft precisely targeted phone scams or phishing mails.

The emailed malware, masquerading as a fridge software update, exploits weaknesses in poorly designed programmes. Mainly the software Jack and Jill downloaded to collectively control all the smart home IoT devices. It quietly evades malware detection tools (if they are there and updated) because it’s built to mimic permitted processes.

It’s into email and other online retail and social media sites, scooping contact information to share itself around. An initial spending spree triggers the bank alert, but the watching code sits tight hoping for juicier prizes to sail across the uber connected home network, the alarm system deactivation code perhaps.

Peddling FUD?

It must look like I’m ‘being’ the FUD problem (and it’s entirely possible I’m off track with some of the potential for exploitation), but no risk can be considered without it’s context.

Things must (as Dave said) come with options to limit their access and data sharing. But the real life context, where planned benefits will be reaped, has to be more secure to balance opportunities with risks. No matter how bright and shiny our increasingly connected world, good old basic security remains our friend.  In my little skit:

…and all of the other customer and vendor side controls necessary to safeguard data collected via new windows into every corner of our lives.

What do you think? Is there any way security education and protection for the general public can keep up? Will IoT vendors self-police to ensure a good standard of security for shipped devices, associated software and lakes of collected data?

Don’t hate technology, don’t fear innovation, but do look round the edges at context and implications in our real imperfect world. I for one am keeping faith we’ll persuade at least some business and users to check and do simple things to stop costs outweighing the undoubted benefits.

2 replies »

  1. The promise of IoT is in many ways tied to the promise of big data. Vast numbers of sensors streaming data into automated decision making engines that control the actuators in the things around us.

    The risk in IoT is visibly in the real world affect of the actuators (Stopping cars, locking doors etc) but invisibily in the vast data sets that will be created and the patterns or profiles that will be possible to create from them. The intersection of ‘privacy by design’ in the data protection regulation and effective IoT systems of systems of devices is going to be complex and messy.

    The point at which you can identify if Dave or Sam Cameron is at home by the weight of what is flushed away combined with the number of lights turned on at the time and the temperature they like the heating is when this might become a bit more real to people. When that is combined with open pseudonymised medical data to tell us their life expectancies is when it will start impacting things like insurance and mortgage rates…

    Liked by 1 person

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s