THE INTERNET OF THINGS
As the number of IoT capable devices expands the security and privacy problem also increases. In this blog, we explain some Internet of Things security.
A few years ago, the idea of a web-enabled clothes dryer or “smart” light bulb sounded like either marketing hype or really boring science fiction.
Now, every new day seems to bring a new object that’s been made “smarter.” Sometimes the integration is subtle and virtually seamless— we’ve gone from watches to smartwatches or Fitbits.
Elsewhere, an upgrade solves a real problem in a helpful way. For example, video-enabled doorbells let you see who’s at your door via a smartphone app, no matter where you are.
Internet-connected objects offer new powers and more control over our lives—who wouldn’t want to turn off the stove from any room in the house, have the garage door open as you pull into the driveway, and keep that pesky neighborhood cat out while letting your cat in?
So, what’s the catch? Well, what personal data is each device collecting? How is it stored? Is it secure? Has it ever been hacked? Do I need to update my password? (Pro tip: Companies are notoriously secretive about being hacked, for good reason.)
Smart objects are designed to make our lives better, to give us more control. But what if someone else takes control? For that matter, why hack a light bulb? Can a baby monitor be weaponized? What is my dryer saying about me to the fridge, anyway?
IOT KEY CONCEPT
When we think of the ways smartphones have changed our lives, we tend to think of the convenience of texting, checking email, booking rides, and ordering takeout. We tend to forget that our phones are really small, powerful computers—and they’re almost always online.
BlackBerries and other Internet-connected mobile devices before the iPhone existed were almost exclusively used for business.
That changed in 2008 with the iPhone and its app store—and the countless apps developers could easily make for nearly everything. That drove demand for always-on internet and ubiquitous wireless access.
Wi-Fi is often cheap or free and available almost everywhere, and internet access is considered a basic human need on a par with water, heat, and electricity. In this world, it only makes sense that we’d control our homes, pets, and cars by phone.
At its most utopian, IoT promises a futuristic home, with connected appliances you can control from your phone, thermostats that let you wake up to the perfect temperature, and light bulbs that turn themselves on in the morning and off at night.
You can turn on the air conditioner in your smart car before you leave the beach so that the interior is refreshingly cool by the time you’re ready to drive home.
With a verbal command, devices in your home can play your favorite song, tell you the weather, or cue up a movie. Here are some of the “things” you might encounter.
One of the richest sources of smart devices, homes have a staggering number of options for technological conveniences, and it increases every year—from smart coffee machines that will brew coffee when you wake up (based on a signal from your Fitbit) to Internet-connected refrigerators, washing machines, dryers, and ovens.
There is even an internet-connected sou vide that enables you to start that slow-cooking dinner from miles away. Pop your iPad into the docking station on your intelligent yoga mat, and you have a personal yoga teacher, without having to venture out of your home.
Your home isn’t the only thing getting smarter. If you’ve purchased a new car in the past few years, you know that its bells and whistles are all connected to the internet.
Cars today come with their own internet connections and smartphone apps. Forgot where you parked? No worries, your smartwatch remembers!
Most pets are microchipped—this makes it easy to reconnect with them if they get lost. But the “internet of pets” doesn’t stop there! Radio-frequency identification (RFID) and microchip-activated pet doors only allow the pets you select to come and go.
The problem with tag-related access is that pets can lose these tags, and they can be costly to replace. Got a pet that is overheating? The internet of pets can help with that, too, with smart feeding bowls.
Smarter You There are now plenty of wearable fitness trackers such as Fitbit or FuelBands, or Misfit fitness and sleep trackers. But internet-connected devices don’t stop there.
Smart medical devices already exist, and they’re only getting smarter—like pacemakers or insulin pumps that can share your medical data with your doctor. Of course, these developments aren’t without their own problems.
HOW PREVALENT IS SMART TECHNOLOGY IN U.S. HOMES?
As the internet of things weaves its wires throughout our lives, so too do objects in our homes become fully connected—and interconnected.
SECURITY BASIC OPTING OUT
There’s really not much you can do to protect yourself from smart objects saving your data into the cloud and sharing it with the manufacturer. Here are a few hints for those worried about passive surveillance in their homes or businesses.
Study Up Read everything you can about the device you’re interested in, particularly the manufacturer’s data-use policies.
Hit Mute Opt out of passively collected data in your settings, if you can. You can use offline or airplane mode, which won’t connect them to the internet—although you will be missing some functionality by doing so. Much of the point of these smart devices is to be connected to the internet.
Change Passwords Be sure to change the default passwords on your devices and routers.
Besides the sometimes high price tags, what are the downsides?
Unsecured Data Much of this technology is still so new that the bugs are still being worked out… or surfacing unexpectedly.
After all, Bluetooth and smartphone apps are great tools, but they were never designed to safeguard confidential information. As voice command becomes more common, most folks haven’t yet wondered whether Alexa ever stops listening.
If the microphones are always on, and the internet connection always live, what’s happening to all that data? Is anybody listening? And if so, who are they and what are they capable of? There are lots of questions, and the answers are only just now being made public.
Listening Ears In today’s competitive business environment, the “consumer data use revenue model” is a big sell point for any digital entrepreneur looking for funding to launch a new product or company.
In other words, most new trackers and sensors have a plan to use the data they collect on you for other purposes—for example, to sell to marketers. Some have even more nefarious uses.
The Bottom Line The problem with filling our world with smart objects and sensors—although they will absolutely help us have better lives—is a data problem. We need to ask what data is being collected, how secure the storage servers are, how that data will be used, and who ultimately owns it.
Right now, data collection, use, and ownership stay with the business that makes the product. Most businesses are motivated by money—and your data is money.
Then there are other problems with these devices. Recently, I wanted to turn on my Hue connected light bulbs. But before I could do so, I was forced to update my software—turning a swipe into a five-minute update!
While a Nest thermostat is fantastic for remotely monitoring and controlling the heating and cooling in my home, hacks giving access to my data could make my home a target for thieves. The Nest could even be tampered with to spy on me!
These devices may be smart, but they don’t have morals. Where most people would feel uncomfortable listening in on private conversations in private homes, these objects have no such ethical guidelines built into them.
It’s the people who work at the manufacturers who decide what is fine to listen in on, what data to store, how to store it, and what to do with it.
GOOD TO KNOW
Science fiction is chock-full of stories about kids’ intelligent toys being used for good or evil. This concept has moved another step closer to reality with the coming wave of toys that use Bluetooth and a phone app to communicate with children.
One of the first “smart” dolls was My Friend Cayla, who connects to the internet and relays information provided by a child, something like a cuter version of Siri with some parental controls.
More sophisticated options include Hello Barbie, a model of the world-famous doll that uses pre-scripted lines to communicate with a child while also building a cloud-based bank of information to better tailor those conversations to that individual.
Concerns about these toys include uncertainty about what information is stored, how it will be used, and how secure it is from theft.
In addition, hackers have found that they’re able to hijack the Bluetooth signal that controls Barbie from outside a home and “speaks” whatever they please to kids in the doll’s voice.
Your data isn’t the only thing at risk if hackers break into their devices. They can also use them to attack websites. This Distributed Denial of Service (DDoS) attacks happens when computers or other Internet-linked devices are programmed to repeatedly request a specific website.
The millions of requests from hacked devices overwhelm the server, causing the site to go down.
In 2016, malware called Mirai (Japanese for “future”) used IoT connectivity to launch a massive DDoS attack. It identified over sixty default usernames and passwords and took over devices such as baby monitors, DVRs, and security cameras, in a network called a botnet.
In October 2016, this botnet hit DNS service provider Dyn, as well as PayPal, Spotify, Wired, GitHub, Twitter, Reddit, Netflix, Airbnb, and others. At least 1.2 million IoT devices are possibly still infected by Mirai.
HOME SWEET CYBERHOME
Unless you have a love affair with high-tech gadgets and a salary to match, your home may not be quite this wired. That said, you may well have more connections to the internet of things than you realize. As IoT technology gets cheaper and more ubiquitous, more and more devices will be talking to each other.
Vehicle (with GPS, stereo, Bluetooth phone connectivity)
Baby w/ smart diaper
LIVING ROOM, STUDY, ETC
Exercise equipment (elliptical, treadmill)
Pet door (synced to pet’s collar)
Smart breathometer (tells you if you have bad breath)
EVERYWHERE IN GENERAL
CO & smoke detectors
Smart light bulbs
Smart heating vents (open and close to shift heat to cooler areas)
Front door (pet door too; see above, left)
“Smart object,” “smart device,” “internet-connected device”—these are all terms that are used to describe objects that connect to and use the internet.
Some devices connect directly to the internet from your home network through your router, while others connect to the internet via an app on your smartphone.
When these devices are connected to the internet, you’re able to remotely control them—or program them to do things on their own.
For example, you want to schedule your lights to turn on at dusk, whether you’re at home or not. Smart light bulbs become smarter when connected to a weather site that provides the time of sunset. There are websites with hundreds of these kinds of programs.
Making Smart Objects Even Smarter IFTTT (which stands for “if this, then that”) is a free web-based service that allows you to create applets that enable you to connect your smart devices together.
This presents an interesting range of security advantages but also concerns. The biggest concern is, what if someone managed to hack IFTTT?
The way data is stored makes it unlikely that a breach would give hackers access to vast amounts of data or control of all your devices. Still, it is a worry for some.
A more immediate concern is the tendency for oversharing. The more data about your movements you put out there, the more opportunities there are for someone to track you for nefarious purposes.
On the other hand, many IFTTT applets are specifically designed to make you, your home, and your family more secure. The table on the facing page depicts a number of these options to show you how versatile IFTTT can be.
Do the security and convenience of these applets outweigh concerns about hackers? Only you can make that call, but the possibilities are intriguing.
GOOD TO KNOW
With all these concerns about data privacy, there is some good news: Plenty of companies are now working on technical solutions to help enable more control and security with data sharing.
UMA, which stands for User-Managed Access, is an OAuth 2.0 protocol that defines how developers can enable a smart object to engage in secure selective data sharing.
This protocol makes it easier for developers of software and hardware to let the owner of the smart device specify what data they would like to share and what to keep restricted.
The use of UMA removes the security burden from the item’s manufacturer and also gives consumers or owners more power over the proliferation of their own data.
UMA is a protocol that can be used right now, in fact—we just need to get more manufacturers to use it in their products. Look for it when you buy, for greater safety.
IoT capable devices
As the number of IoT capable devices expands, so too does the actual number of connections between those devices—and fast.
All around us, data is collected about our activities and behavior. From what route we took to get to the grocery store (Waze, Google Maps) to whom we’re messaging (Facebook Messenger, WhatsApp), companies that build the software we use are constantly tracking and monitoring us. Much of it is used for what’s called “surveillance marketing.”
May Be Relevant to Your Interests Surveillance marketing happens when companies such as Google, Facebook, Amazon, and other sites observe the information (data) you generate by using their services.
Google was a pioneer in this field with what was then called “contextual marketing” back in the early 2000s. After the release of Gmail, Google began monitoring the contents and context of messages in order to show advertising based on all of those messages.
If you emailed your mom about an upcoming vacation to Bali, Google might show you ads about airfare specials, travel, or vacation activities in the South Pacific.
After some outcry, the company put a halt to this particular practice. But it’s still the case that if you search shopping sites for the perfect pair of rain boots you’ll likely be stalked by advertisements for rain boots for the next year or so, across a range of sites.
Information, Please Data is collected about you not just on the Web but when also you use your phone and smart devices. Your smart thermostat, your car, your light bulbs, and your fitness tracker are spying on you and reporting back to… someone.
Imagine the offline version of this—a company representative listening in on your private conversations and following you around to see what you buy You wouldn’t stand for that kind of behavior in the real world, but it’s become part of what you expect online.
Big Brother Wants to Watch The internet of things (especially IFTTT devices) works by monitoring and responding to everything you do. But this also means that someone else could be watching.
In 2016, former FBI director of national intelligence James Clapper informed a Senate panel that the government had known about the potential to use IoT and IFTTT to spy on their users. Privacy advocates, in response, are encouraging consumers to use end-to-end encrypted smart devices and are pushing for more privacy laws.
A SMART APPLIANCE WAS WITNESS TO A MURDER
TRUE (kind of) All police knew in late 2015 was that Victor Collins and James Bates had spent an evening soaking in Bates’s hot tub listening to music streamed by an Amazon Echo. According to Bates, he went to bed early. When he woke up in the morning, Collins had apparently drowned.
Investigators served a warrant to Amazon, hoping the Echo had recorded anything of interest. It’s unlikely that Alexa will take the stand, but an interesting precedent may have been set. Siri, where’s the best place to bury a body?
YOU CAN HACK A PACEMAKER
TRUE While this is true, it hasn’t happened to a person—yet. Many medical devices have wireless functionality to share information with your doctor to see how well the device is working.
The late hacker Barnaby Jack did pioneering work here, and in 2016, security firm MedSec hacked pacemakers and defibrillators and then licensed to a Wall St. hedge fund the data on how they did it.
Medic's hacks included sending a shock—wirelessly. The firm shorted the stock of the manufacturer, St. Jude Medical. St. Jude denied this, but the FDA and DHS confirmed the hacks. Barnaby’s most famous hack had been of an insulin pump, causing delivery (in a lab) of a lethal dose of insulin.
ON THE ROAD As the internet of things grows, it’s no surprise that it extends to affect our vehicles as well. Our cars, trucks, and SUVs are not only a source of more data for companies to mine but open drivers up to a new range of threats.
Digital Carjacking In 2015, Wired magazine writer Andy Greenberg volunteered to drive a Jeep Cherokee while hackers attempted to control it remotely.
Hackers Charlie Miller and Chris Valasek were able to take control from ten miles away by laptop; Greenberg was helpless to stop the duo from controlling the A/C, radio, windshield wipers—and even stopping the transmission.
The same sort of vulnerability had been demonstrated previously in 2013, with hackers accessing the brakes, horn, seat belt, and steering wheel of a Toyota Prius with Greenberg behind the wheel.
Only in recent years have legislators begun to set electronic security standards for automobiles, and some automakers have issued even recalls for their vehicles. Nonetheless, the risk of hackers assuming control to control it, stalk the driver, or steal relevant data still exists.
So far, the hacks have only been done to help understand a car’s vulnerabilities. However, it is no longer the stuff of bad movies to imagine that you could be hurtling down the freeway when, with no warning, your doors lock, brakes fail, steering freezes, and seat belt clicks open. But hey, you can still stream your Spotify playlist, so that’s good.
Driverless Cars Anyone who has been paying attention knows that the era of the driverless car is finally upon us, as more and more companies follow in the steps of Google’s extensive testing.
Safety concerns are, of course, paramount, and there have been a number of fender benders (mainly the driverless car being rear-ended by a car with a driver inside), along with reports of cars blowing through red lights or stop signs.
A Tesla in “autopilot” (semi-driverless) mode was involved in a fatal accident back in 2015, but after much investigation, the manufacturer was absolved of fault. Indeed, the statistics show that cars with autopilot are actually involved in 40 percent fewer incidents.
As the internet of things is a relatively new phenomenon, ways of keeping yourself safe mainly involve doing your research and using common sense.
Research purchases before you buy.
Change your modem and router passwords to something other than the factory default.
Use screen lock codes on all mobile devices.
Isolate IoT apps.
Ensure that medical devices are locked to only critical services.
Ask device providers about wireless security.
Set up a separate home network with a separate firewall with all your IoT Devices behind the firewall.
Place IoT devices on a virtual LAN segment.
Install surveillance software to collect data packets sent from your devices through your network.
KEEPING A SECURE CONNECTION
Your smartphone’s Wi-Fi and Bluetooth capabilities mean you can connect anywhere, anytime, to any network or device. No question, the ability to work and play online using your smartphone is awfully convenient.
But every single public access point you encounter is a chance for someone else to peek in and even steal sensitive information from you while you’re online. And if your Wi-Fi is turned on, products like the WiFi Pineapple can trick your device into sharing information without your knowledge.
To be safer when using your smartphone, laptop, or tablet, use only secured connections. Use a VPN connection, or just always skip-free unsecured public Wi-Fi. Your phone still can use its own mobile data in plenty of places. It might cost a little more depending on your plan, but the added safety is often worth the money.
The spyware stuff can be really great for keeping tabs on your kids or checking in on elderly relatives.
But remember, if their phones or yours are hacked, that’s a lot of data falling into the hands of strangers. In information security and intelligence operations, this is known as dual-purpose technology.
A classic example is the IMSI-catcher (mobile phone eavesdropping device) that has put Edward Snowden in a huff. You are truly happy that the government has it when using it, for example, to home in on a kidnapper or a child molester, or to locate mobile devices in prisons.
But it’s not so great when the government focuses attention on whatever you happen to be doing—especially if you don’t want to explain why you were at the Shady Acres Motel the night before. That’s a classic dual-purpose quandary.
Not all the problems surrounding smart vehicles and devices are limited to the ones that are on the ground. Radio hackers have broken into American and British air traffic control and transmitted bogus flight information to pilots. These “ghost transmissions” have requested that pilots change their landing plans and diverge from flight paths.
Up until now, the instances of air traffic hacking have been low in number; only twenty ghost transmissions have been properly identified and no one has ever been caught in the act, let alone prosecuted.
The equipment for breaking into the pilot’s signal sets a user back about $450 USD—still well within the means of a determined troublemaker. And the real problem is that there’s currently no technology available to block the unauthorized people who are making these transmissions.