Diary

Why the Internet of Things Could Become a Privacy Headache

ants-fridge

Futurists have always yearned for the day when The Jetsons is reality, where every home is intelligent, and everyone can have Bill Gates-style home automation.  That future is being realized today, with the evolution from computers, to game consoles, to smartphones, and finally, our “stuff”, all connected to the cloud.  By “stuff” I mean appliances, controls, and systems that already have a purpose in the non-connected world.  Like toasters, ovens, refrigerators, garage door openers and doorbells.  It’s called the Internet of Things (IoT).

These are the heady days of a new technology, where anyone can be an inventor, and thousands of ideas compete to be the “killer” product, before the Large Faceless Corporations take over (yes, Apple is a large corporation now).  Samsung even has a refrigerator that tweets.  I actually thought about getting it when we were buying a new fridge, but opted for the pedestrian off-line version.  We can expect every type of Thing imaginable joining the IoT.  Hundreds of garage engineers and tinkerers are making everything from smart doorbells to e-paper door access panels (very cool IMO), to the foobar, an automated cocktail dispenser (one of my favorites, which ought be sold in Skymall).

But like waking up in The Matrix after taking the red pill, vulnerabilities in the “cloud” such as heartbleed and shellshock (the bash bug) raise awareness as to how our computers, our personal data, our lives, and now our Things, are so dependent on networks and software sometimes designed and written decades ago.   (A word about the bash bug hype:  most home network gear is not vulnerable, even if those devices use some flavor of Linux as their operating system.  The bash program is far too bulky and uses too many resources to live in those devices, and most manufacturers use a software kit called “busybox”, which doesn’t include bash.  The bash bug isn’t a threat to IoT, unless some inventor used a Linux server to control their device.)

A company named Spark produces a kit which can transform any “thing” into a connected Thing.  The Spark Core and Spark OS are a hardware and software kit which allow developers to control Things from the cloud on the IoT.  Who would want a smart toaster?  Marketers struggled with this question for a long time until the breakout product, the Nest thermostat, proved the concept.  Nest (now part of Google) has expanded into smoke alarms, and has announced an interface to allow selected devices to talk to its products, so your Mercedes-Benz, your Whirlpool appliance, or your Jawbone Up fitness monitor can control your home’s temperature.

Tomorrowland is here, along with reminders that Things connected to the cloud could turn against us.  Vulnerabilities, software bugs, security holes, denial of service attacks; a new language for non-techies, because those things are always someone else’s problem.   But once you connect a Thing to the IoT, it becomes your problem.

The Internet of Things’ primary threat is also its biggest benefit:  diversity.

Only a fraction of the thousands of Things make it to “store” shelves, but if the iTunes App Store and Google Play are any indication, it won’t be long before an open mass market exists for any Thing made by anyone.  Can these small players support you when the lights go out?  Will they even exist?  We know that large corporations, like Apple and Google, will be around and will offer support, at least for their current products.  Most of the startups won’t last, but their Things will remain, potentially for years.

But what happens when they decide to “sunset” support for a Thing they decided to abandon?  What happens to orphan Things if they become vulnerable in a year, or in ten years?  If Spark goes belly-up, or (more likely) is acquired, what happens to the thousands of Spark OS-powered Things?  Who will support the foobar you bought when the next big bug is found?

Why it that even important?  Because if your Thing, or its cloud-powered software, becomes vulnerable, then your Thing can turn against you.  If it’s got a camera, you can be spied upon.  Cameras and baby monitors made by Foscam had the simplest possible hack:  click “OK” without entering a username or password on the camera’s own web interface.  If you don’t go to Foscam’s website and upgrade, anyone online can see what your camera sees.  HP Fortify researchers released a chilling study which found 250 vulnerabilities in the most popular IoT devices.  Many of these vulnerabilities are easily corrected, but left alone, they are quite severe.  If your Thing doesn’t self-update, or your Thing’s creator simply doesn’t provide a fix, your garage door opener, alarm system, or coffee pot could betray you.

Thoughtful companies and large corporations require their IoT developers to stick by standards, like the OWASP Internet of Things Top Ten (OWASP is the Open Web Application Security Project).  In the online payment industry, OWASP standards are mandatory, but in the Wild-West of the IoT, there’s no standards body or certification procedure.  The results are predictable:  poor programming methods, cutting corners, and simple ignorance lead to vulnerable devices.

In itself, the IoT is a wonderful concept.  But the potential for real intrusions into our lives, homes, and privacy are severe.  We should pause and consider some useful standard-making and certifying body, lest the Things we take into our homes become monsters among us.

(crosspost)