November 21, 2016
Who Will Make the IoT Safe?
Is there a specific place where we can plug in some type of security to help stop the mischief? No. But could there be?
After reading about the “distributed denial of service” (DDOS) attack that shut down major sites across the internet in late October, it is amazing to me that, conceptually, my refrigerator could be used by evildoers to attack servers in the cloud. I miss the old birdcage refrigerator that we had in our basement.. but I sure like looking on the internet to see just how old the milk is when I am in the grocery store.
To my knowledge, this is the first such attack using internet-connected devices, or the Internet of Things (IoT).
One weakness to the Internet of Things is that (as we have attached more of our home devices to the internet), there was no one overriding body responsible for creating a minimum security level to limit access by the wrong people to our microwave ovens.
But if such a body is created, then it could be more difficult for small and creative companies to make anything. Another problem with a central body creating security levels is that it really would only increase manufacturing costs. And, knowing oversight bodies, I’m sure we would then be using outdated technology in all of the devices, without really making anything secure, My internet espresso maker could then cost $1,200 instead of $1,000 and still would make bad cappuccinos when I went on my phone from by bedroom and turned it on.
See also: Insurance and the Internet of Things
Finance companies such as banks and credit card companies, medical organizations, the phone companies and computer companies have significant financial incentives to create secure devices. Yet they have had significant problems keeping their information and systems secure from the internet mischief makers.
(A quick digression: The U.S. government severely punishes private companies when there is a breach. Not only did their data go away, not only did their sales drop because of a reputation problem, not only did their customers sue them, but then, as a cherry on top, rather than helping the victim of the data breach the government fines them. Yes, I know the company should have been more diligent with the data, but…. Note that a hack of the IRS hack has cost the U.S. government more than $30 million in payments on fraudulent tax returns, and the IRS has yet to fine itself for the breach.)
Most of the people I know who have spent any time thinking about about purchasing self-driving automobiles have said they worry that hackers could take over their car (their underlying concern seems to be that it will then be driven into the San Francisco Bay, where they could not open the doors or roll down the windows to get out). There is (and should be) far more concern over the loss of control of a car than loss of control of a pizza oven, but to me it is all really part of the same problem.
So my first question was: “Is there a locus or specific place where we can plug in some type of security to help stop the mischief?”
Looking for insight, I charged down to Best Buy and asked one of the Geek Squad folks if there was such a place or way to limit outside access or control to my internet-connected electronic toothbrush? (I did come out of Best Buy with a brand new, three-year software internet security program for my new computer for only $49.95, discounted to $9.95 because I was going to look at the possibility of purchasing an internet-connected pet feeder)
The Geek Squad person said that the best opportunity for such security is the routers in homes, but, no, there is no Ronco device ($19.99 and… if you call in the next two minutes… you can have TWO Ronco internet security devices. He also said that, fortunately, my floss is still not internet-connected, so I would not have to worry about one of my teeth being yanked out by an evildoer from Nigeria who was trying to get that pesky $25 million out of the country….)
So here are some follow-up questions:
- Should there be an oversight body for all devices that will be responsible for creating a minimum standard for security for all of the internet-connected heating systems in the world? (The NSA will still want back-door access to all of the data from your garage opener.) If there is an oversight body, and it creates a minimum security program or level, will it be enough to keep the evildoers out of my kitchen? (I think not.)
- Who will go on Shark Tank with the next device (Ronco??) to help create some sort of security for all of the devices in your home? This seems like a great opportunity for someone.
- Perhaps it is the cable operators (those who supply the infrastructure of the connections) who should be held responsible for identifying viruses as they go across the cables and stop them. (That is where the NSA gets all of its data, anyway.)
- Will I ever be able to look at my internet Ronco coffee maker the same way and not wonder if it is actually a drone for a hacker in Uzbekistan? Will the hackers burn my pizza for me instead of me burning it? Or, worse, will they undercook things? Will a hacker drive my car (in two years, Uber’s car) off the Golden Gate Bridge? (And will I actually be in the car when he does?)
- Will the evildoers now open my garage door and take my Xmas stuff i have on the back wall? (There is really a serious question of personal security that will get larger as the bad guys find out how to easily get into businesses and buildings.)
- Will the government take over my sprinkler systems and stop me from wasting water? (In California, this is a serious issue, and the underlying question of how much will or can the federal state and local government eventually do with the Internet of Everything will be an interesting battleground for the next 15 years.)
- Who has the data, and where are all of the devices? Information is king (and queen) nowadays, and knowing where the devices are will allow the evildoers to attack the weakest links. I bet they first hacked the companies who sell the devices to find out where they are. (Should you sign up for a warranty if that information will result in telling the mischief makers where you are and how you are connected?)
- Just how safe is the cloud? The attack in October was a distributed denial of service attack, but can the evildoers use my internet-connected fireplace to hack the cloud?
- Will all of these security problems have anything to do with privacy issues? What if the miscreants leak my information to Wikileaks about the fact that I have peanut butter in the refrigerator?
As the saying goes: Inquiring minds want to know.
There is an amazing amount of mischief that can be created if we do not have secure devices.
Think about it… and perhaps unplug your internet-connected litter robot until you know it will only be used by your cat for its original purpose.