The Internet of Things - IoT
You've almost certainly heard the term "Internet of Things". Lots of consumer products introduced recently fall into the IoT category.
So what exactly does this mean?
Broadly speaking, it means that many of the everyday things we use in our lives are designed with internet connectivity.
In this article, I'll discuss IoT gadgets and why they might not be such a great idea, after all. If you are security conscious at all, you'll agree with me on this.
There's several classes of products that lend themselves (or not) to being internet connected...
Devices that cannot exist without internet access such as Amazon Alexa, Apple Siri, and TV streaming devices.
Devices that can exist without internet access but are far more useful with internet access. This includes front porch doorbell cameras and smart thermostats. Maybe some other things.
Devices that have existed for years and worked just fine without having internet access and gain little or no value from being connected to the internet. This list is long, including things like coffee makers, laundry machines, dishwasher, range, door locks, tooth brushes, and countless other appliances small and large that we use every day.
Children's toys that are now "smart". This could be games and even stuffed animals or action figures that a child can converse with. This one causes me the most concern.
The foregoing are all examples of residential IoT devices.
A Little History
Of course there's a history lesson here! For years now remote industrial applications were monitored and controlled via SCADA (Pron. SKAY-duh -- Supervisory Control And Data Acquisition) systems. Such industrial systems include interstate gas pipelines, the electrical grid, railroads (monitoring trains and lines, controlling signals, actuating railway switches), airports, office towers, cruise ships, the list goes on.
These industrial applications often incorporate thousands of sensors and controllers generating millions of data points and may be geographically spread far and wide. A method of remote monitoring and control was required. Methods and protocols developed under the umbrella term SCADA was the answer to this need.
SCADA is the functional predecessor to today's internet of things, but with (at least) these big differences:
Scalability: SCADA was designed for industrial applications only. The internet of things model is scalable from large industrial applications that SCADA traditionally served down to individual, personal devices.
Communication: Traditional SCADA systems back in the day communicated via dedicated circuits, not the internet. The IoT, by definition, communicates via the internet. And that is also a huge source of concern and the impetus for me to write this article.
Security: Most SCADA systems used dedicated, isolated circuits that were not accessible to outsiders or other unauthorized parties.
Security cameras and thermostats have been around long before the internet but have gained valuable new skills and usefulness since becoming internet connected.
You can see who's at the door and even chat with them from anywhere. These cameras can alert you, and begin recording, if someone approaches your front door, even if they don't ring or knock. Some cameras have new tricks, alerting you that a box was left at your front door so you can bring it inside. That's really useful because "porch pirates" are a thing.
Thermostats can be controlled remotely. It's pretty nice to be able to adjust the climate the day before you arrive back after a long trip.
And some things, like smart speakers such as Alexa, could not even exist without the internet. I like Alexa mainly for streaming KBIA but I also ask her to play music, set a timer, and other such things.
So there are useful IoT gadgets out there. But there are concerns as well.
Neighbors Unlocking your Front Door?
As with many things on or regarding the internet, manufacturers of IoT devices don't pay much attention to security concerns. They want their gadgets to be cheap, easy to set up, and work seamlessly. They aren't too interested in complicating things by imposing too much pesky security. As a result, many IoT devices have weak or no security, weak or no encryption, default passwords, easily defeated access methods, and are generally more vulnerable to attack from outside bad actors.
Just do a google search on "internet of things security issues" (without the quotes) and you'll see many millions of search results. It's a big and growing problem.
There are actually websites that specialize in cataloging people's insecure IoT devices such as residential camera systems used as baby monitors and for security! Imagine someone remotely watching your child sleep, monitoring and disabling your home security system, or unlocking your front door if you have an IoT door lock. All this is possible and has been demonstrated.
Invasion of the Body Snatchers
Improperly secured IoT devices all over the world are being hijacked by the hundreds of thousands (probably millions) into robotic armies called a "botnet". If your IoT gadget (be it a camera, video doorbell, thermostat, whatever) were hijacked, it would likely still work as intended but it would also be listening for orders from a C&C (Command and Control) server, run by a "bot master" -- a criminal enterprise. In this case, the bot masters (usually) aren't interested in attacking you -- they want to use your IoT gadget, along with many, many others, to perform large scale coordinated attacks against whoever for whatever reason.
This is called a DDoS attack (Distributed Denial of Service). It's a type of attack where many thousands (or millions) of compromised computers or devices all simultaneously and repeatedly try to connect to the same web site with bogus requests. The flood of incoming requests can temporarily overwhelm and disable a web site. DDoS attacks are carried out for any number of reasons: Political disagreement, extortion, or simply "for the lulz".
There are moves afoot to draft legislation to mandate security standards for IoT devices but, as usual, clueless lawmakers are dreadfully outpaced by product development. It remains a totally unregulated marketplace where any cheap insecure product can be sold.
Spies Masquerading as Cute and Cuddly Toys
It's not just resistance to hacking that's a concern. Privacy is a huge concern also.
IoT tech has made its way into children's toys. Manufacturers are now making interactive toys using cloud-based servers to give the toy its "smarts". Just as the power and knowledge of Siri and Alexa reside in Apple and Amazon data centers, so to do these new breed of interactive toys get their "intelligence" from cloud-based servers. In this case, however, belonging to third-party companies (usually foreign, outside the reach of US law) that don't give a hoot about security or privacy. These toys are essentially cheap throw-away products. The companies that make them aren't going to spend any money on security.
Your kid's cloud-enabled toy could well be recording every word it hears and sending it to a data center. The value of that collected data is huge. By parsing every word these toys hear, the toy can respond intelligently. But it doesn't end there. That data is mined for all kinds of valuable information that is sold to anyone willing to buy.
Think for a moment all the conversations you might have in your home that can be picked up by these toys. Discussing a major purchase, a legal problem, medical issues, marital problems, and more. And that's just the parents having grown-up conversations. Little kids will parrot anything they hear. A young child lacks judgement and discretion and might confide in his/her intelligent and responsive toy about mommy and daddy's constant fighting or anything else.
And don't think it's anonymous, either. Most IoT toys require a sign-up of some sort, even if free, almost certainly using your email address. Everything that toy hears is associated to you, specifically. Use a throw-away email address? Not good enough. That toy can scan your network, logging the MAC addresses* of all other devices it sees and your public IP address as well. And under the right circumstances, your IP address and those MAC addresses can be used to fingerprint you across the internet. The IoT toy maker may then package up all those juicy tidbits and sell it to big data. This is absolutely possible and almost certainly happening. No manufacturer would leave that money behind especially since no-one is likely to catch them.
* What is a MAC address? Every internet-capable device has a unique MAC (Media Access Control) address hardwired into the device and it never changes for the life of the device. While the purpose of the MAC address isn't to track you, it could be abused in that way under the right circumstances.
A Real Necessity?
Some connected devices -- like the doorbell cameras and smart thermostats -- lend themselves to internet connectivity and can be useful. But they must be set up correctly and securely! Amazon's Alexa is also very useful, bringing new functionality that did not exist before.
But many manufacturers today are adding internet connectivity to mundane devices simply to differentiate them from their competitors. Who the hell needs an internet-connected refrigerator or coffee maker? Yet both of these things exist.
I'd steer clear of these unnecessary IoT devices until the manufacturers can get behind a coherent and unified privacy and security strategy to keep their systems safe, secure, and private. We already expose ourselves too much in the name of convenience and interconnectedness. At the very least, consider only those devices that offer a true and useful benefit. And if you don't understand how to make sure it's properly secured, call someone who does.
Do you really need to unlock your front door using your phone?