Newsletters

Customer Support:   (972) 395-3225

Home

Articles, News, Announcements - click Main News Page
Previous Story       Next Story
    
The Internet Of Bad Things: Why Security Will Make Or Break The IoT

by Lee Gruenfeld, Vice President, Strategic Initiatives, Support.com - February 1, 2016

The Internet of Bad Things:
Why Security Will Make or Break the IoT

by Lee Gruenfeld, Vice President, Strategic Initiatives, Support.com

Let me tell you something you already know: There are a lot of bad people out there.

Like viruses, bad people will exploit any opportunity and wave off any pangs of conscience if they smell a victim. And if there’s one thing the Internet of Things (IoT) can supply in abundance, it’s opportunity and victims.

Computers in homes and businesses started being hacked about ten minutes after the first commercial Internet connection went live. The type of person who thinks nothing of doing $10,000 damage to a car to steal a $200 radio won’t care if he destroys a lifetime of data in order to extort forty bucks from an unsuspecting computer user. Worse yet, some of these criminals aren’t even after anything material; they cause massive damage just for fun and bragging rights.

Over the years, an entire industry has arisen to combat these parasites, and it’s done a pretty good job: If we follow a few simple rules, use good security software, are diligent about backups and don’t talk to strangers on the phone, we’ve got a good chance of not getting whacked. (We’re still going to get spammed, but, handled properly, spam is an annoyance, not a menace.)

Just as we thought we were starting to gain the upper hand, along comes the IoT. Compared to the relative orderliness of the personal computer world, the IoT is a lawless frontier of cowboys, rustlers and land grabbers sitting atop history’s largest gold mine.

Why? First of all, the IoT is everywhere. It’s in our homes, in our cars, and on our bodies. If we don’t let things talk to other things, the virtues of the IoT can’t be enjoyed. And when everything is talking to everything else, they may “say” things we don’t like or even know about. It’s an irresistible target for cyber criminals, who dream up new methods of attack as fast as new devices, ecosystems and protection software are released to the market. An extensive study announced at a security conference on Nov. 23 by EURECOM found significant vulnerabilities in devices from 25 percent of the 54 manufacturers they tested. The only explanation one of the researchers offered for why those flaws existed was that the manufacturers either used poor testing methods or didn’t test at all.

We already know baby monitors can be used to steal private information. Home systems can be hacked through smart thermostats. Connected automobiles can be made to stop dead on the freeway by remote control. It’s only a matter of time before someone figures out how to read what you’re typing by tapping into your smart watch…if they haven’t already. And we don’t even want to think about the consequences of hacking medical devices.

The people who sell us home automation devices aren’t telling us much about all of that. What vendor wants to scare his customers?

As consumers of these smart devices, we want to plug in things and have them start running (within an hour, or at most a day, according to our own recent research*). We want everything talking to everything else, unfettered by firewalls, complex passwords and three-factor authentication.

We can’t have it both ways, and the way we resolve the dilemma isn’t always in our own best interests. As comic-strip character Pogo put it many years ago: “We have met the enemy and he is us.”

As ever, what we really want is to be protected from ourselves. Fortunately, the industry is taking note and is acting. There’s nothing altruistic about it: Unless something is done, the runaway train that is the IoT is in danger of getting derailed. (Or even worse, regulated. But more on that another day.)

The state of the art in IoT security

The go-to answer to digital security is always “consumer awareness.” For PCs, it’s effective to a reasonable extent. By “reasonable” I mean that most people know they need anti-virus protection and many are coming around to doing regular backups. The trend is driven by ubiquitous horror stories: We’ve all either been victims or know some who has. The safest computer users are the ones who take pains to protect themselves.

But in the IoT, consumer awareness as a defense is a losing proposition, at least for the present. There haven’t been enough horror stories (the woman whose co-worker spied on her in her bedroom did it through a laptop camera, not a home automation device). Millennials are showing a marked propensity to not care much about privacy if there’s a personal benefit to compromising it, or at least if you don’t bother them too much.

So it’s pretty much up to the technology community to protect its customers from themselves. They’re motivated to do so because they know the “Big One” is coming soon, and they don’t want it to be associated with one of their products. If someone gets burglarized because the bad guys shut off the alarm system through a connected thermostat, everyone who makes connected thermostats is going to suffer.

The “Big One,” by the way, isn’t going to be something like the Target data breach and other such incidents, which barely made a ripple in the public consciousness despite industry attempts to hype it into catastrophic proportions. Because of strong consumer protection laws, holders of Target charge cards, like bank credit cards customers, essentially have zero liability. The Big One is going to be something far more personal, or even lethal.

The IoT security opportunity

There’s a huge opportunity for some company to crown itself the brand leader in IoT security. The key will be a simple, visible, one-step way to protect devices and ecosystems. The eventual acceptance of labels boasting “Protected by X” as all the security you’ll ever need will be worth a fortune, and that’s what’s driving entrepreneurial tech companies to become this brand leader and savior.

It could be Microsoft, which has committed to adding BitLocker encryption to its Windows IoT. Another possibility is Gemalto, a pioneer in securing mobile payments. Their Secure Element (SE) technology is embeddable into devices and provides both encryption and access limitation. It’s being considered for use in the automotive and utility industries and is easily adaptable to other categories of the IoT.

If I had to bet on an approach for smart homes, it would be on either Dojo, the first offering from Israeli start-up Dojo-Labs, or Sense from Finnish company F-Secure. Both are cloud subscription services that work through a device plugged into the homeowner’s WiFi router to create profiles of how all of the devices in a connected home behave and then react to anomalies.

An interesting development is the Internet of Things Security Foundation (IoTSF). It was created by a consortium of major tech firms who realized that they had everything to gain and nothing to lose by collaborating with their competitors on the matter of security (something Las Vegas casinos figured out a long time ago). There are also ideas afloat for using independent platforms that allow large networks of devices to federate authentication in a kind of “mesh verification.”

These are all good concepts, albeit a long way from proven. They’re also device-centric, which creates two special challenges.

The first is that that most IoT devices are “always on” and are only authenticated once, which makes them attractive targets as gateways into their associated ecosystems.

Which brings us to the second challenge, the question of where hackers are really likely to attack, and it isn’t only at the device level. As any proselytizer of Big Data can tell you, the good stuff is in the cloud. In fact, from a technical perspective, it’s all in the cloud, and there’s very little consumers can do to protect themselves other than deal with reputable companies who take privacy seriously.

Another reason to deal with reputable companies, no matter how attractive the offerings of the lesser-knowns: Suppliers of your home automation devices are monitoring them and periodically downloading firmware upgrades. This isn’t something you want done by a fly-by-night firm who’s probably outsourcing development to the lowest-cost vendor somewhere in outer Alfheim.

We’re nowhere near where we need to be when it comes to securing the IoT, and you can’t wait for tech companies to do it for you. Walk through any neighborhood with your smart phone displaying the WiFi settings page and you won’t get half a block before coming across unsecured connections. Do you change all your passwords every 90 days? Me, neither (although I do back up fanatically, which protects me against certain kinds of hackers but not all). Do you even know how your smart home devices are currently secured, or if they’re secured at all? Are you sure that the only one seeing what’s on your security camera is you?

Until “they” figure it out, “we” have to take special pains to protect ourselves.

*From “Connected Consumers and the Most Personal Brand Experience” survey report published by Support.com in October, 2015.
 

 
Return to main news page