The Internet of Things - IoT
You've almost certainly heard the term "Internet of Things". Lots of consumer products introduced recently fall into the IoT category.
So what exactly does this mean?
Broadly speaking, it means that many of the gadgets we use in our lives are designed with internet connectivity. These are everyday appliances and devices that traditionally had no smarts and certainly no way to communicate beyond their self-contained functions.
In this article, I'll discuss IoT gadgets and why they might not be such a great idea, after all. If you are security conscious at all, you'll agree with me on this.
An early example of an IoT device is the Nest thermostat -- a learning thermostat that anticipates your climate needs and can be controlled in a number of ways via the internet, like from your smart phone.
Today there's far more IoT devices available. Literally anything that has a human interface -- that can be controlled or monitored -- is a candidate to become an internet-connected appliance.
Residential examples include HVAC monitoring and control, refrigerators / freezers, washers / dryers, door locks, security systems of various types including cameras, TVs, light switches, fitness trackers, baby monitors, reminder systems, help buttons (often used by elderly), etc.
Industrial examples include transportation systems such as traffic monitoring, signal control, programmable roadway signs (that display things like "don't text and drive" and AMBER alerts), weather monitoring, electric grid management, and many others.
A Little History -- Predecessor Methods
For years now remote industrial applications were monitored and controlled via SCADA (Pron. SKAY-duh -- Supervisory Control And Data Acquisition) systems. Such industrial systems include interstate gas pipelines, the electrical grid, railroads (monitoring trains and lines, controlling signals, actuating railway switches), airports, office towers, the list goes on.
These industrial applications often incorporate thousands of sensors and controllers generating millions of data points and may be geographically spread far and wide. A method of remote monitoring and control was required. Methods and protocols developed under the umbrella term SCADA was the answer to this need.
SCADA is the functional predecessor to today's internet of things, but with (at least) these big differences:
Scalability: SCADA was designed for industrial applications only. The internet of things model is scalable from large industrial applications that SCADA traditionally served down to individual, personal devices.
Communication: Traditional SCADA systems back in the day communicated via dedicated lines, not the internet. The IoT, by definition, communicates via the internet. And that is also a huge source of concern and the impetus for me to write this article.
Security: Most SCADA systems used dedicated circuits that were not accessible to outsiders or other unauthorized parties.
Neighbors Unlocking your Front Door?
As with damn near everything on the internet, manufacturers of IoT devices rarely pay any mind to security concerns. They want their gadgets to be cheap, easy to set up, and work seamlessly. They aren't too interested in complicating things by imposing too much inconvenient and pesky security. As a result, many IoT devices have weak or no security, weak or no encryption, default passwords, easily defeated access methods, and are more vulnerable to attack from outside bad actors.
Just do a google search on "internet of things security issues" (without the quotes) and you'll see many millions of search results. It's a big and growing problem.
There are actually websites that specialize in cataloging people's insecure IoT devices such as residential camera systems used as baby monitors and for security! Imagine someone remotely watching your child sleep, monitoring and disabling your home security system, or unlocking your front door if you have an IoT door lock. All this is possible and has been demonstrated.
Invasion of the Body Snatchers
Improperly secured IoT devices all over the world are being hijacked by the hundreds of thousands (probably millions) into robotic armies called a "botnet". If your IoT gadget (be it a camera, video doorbell, thermostat, whatever) were hijacked, it would likely still work as intended but it would also be listening for orders from one or more C&C (Command and Control) servers, run by a "bot master" -- a criminal enterprise. The bot masters (usually) aren't interested in attacking you -- they want to use your IoT gadget, along with many others, to perform large scale coordinated attacks whoever for whatever reason.
In Sep 2016, the website of security researcher and journalist Brian Krebs (KrebsOnSecurity.com) was attacked by a massive DDoS* disruption that slammed his site with millions of bogus web requests that knocked him offline. Several hundred thousand devices were all hammering his site simultaneously. What were these devices? Cloud-enabled cameras, home routers, and countless other crappy insecure "Internet of Things" devices that people buy and don't know how to properly secure.
* DDoS stands for Distributed Denial of Service. It's a type of attack where many thousands (or millions) of computers or devices all simultaneously and repeatedly try to connect to the same web site. The flood of incoming requests can temporarily overwhelm and disable a web site. DDoS attacks are carried out for any number of reasons: Political disagreement, extortion, or simply "for the lulz" (google it).
There are moves afoot to draft legislation to mandate security standards for IoT devices but, as usual, clueless lawmakers are dreadfully outpaced by product development. It remains a totally unregulated marketplace where any cheap insecure product can be sold.
The Cute and Cuddly Spies Masquerading as Toys
IoT tech has made its way into children's toys. Manufacturers are now making interactive toys using cloud-based backend servers to give the toy its "smarts". Just as the power and knowledge of Siri and Alexa reside in Apple and Amazon data centers, so to do these new breed of interactive toys get their "intelligence" from cloud-based servers. In this case, however, belonging to third-party companies (usually foreign, outside the reach of US law) that don't give a hoot about security or privacy.
Your kid's cloud-enabled toy could well be recording every word it hears and sending that to a data center. The value of that collected data is huge. By parsing every word these toys hear, the toy can respond intelligently. But it doesn't end there. That data is mined for all kinds of valuable information that is sold to anyone willing to buy.
Think for a moment all the conversations you might have in your home that can be picked up by these toys. Discussing a major purchase, a legal problem, medical issues, marital problems, and more. And that's just the parents having grown-up conversations. Kids will parrot anything they hear. A young child lacks judgement and discretion and might confide in his/her intelligent and responsive toy about mommy and daddy's constant fighting or anything else.
And don't think it's anonymous, either. Most IoT toys require a sign-up (even if free) of some sort, almost certainly using your email address. Everything that toy hears is associated to you, specifically. Use a throw-away email address? Not good enough. That toy can scan your network, logging the MAC addresses* of all other devices it sees and your public IP address as well. And under the right circumstances, your IP address and those MAC addresses can be used to fingerprint you across the internet. The IoT toy maker then may package up all those juicy tidbits and sell it to big data. This is absolutely possible and almost certainly happening. No manufacturer would leave that money behind.
* What is a MAC address? Every internet-capable device has a unique MAC (Media Access Control) address hardwired into the device and it never changes for the life of the device. While the purpose of the MAC address isn't to track you, it could be abused in that way under the right circumstances.
A Real Necessity?
Some connected devices -- like the Nest thermostat with its innovative energy-saving features -- lend themselves to internet connectivity and can be useful. But it must be set up correctly and securely! Amazon's Alexa is also very useful, bringing new functionality that did not exist before.
But many manufacturers today are adding internet connectivity to mundane devices simply to differentiate them from their competitors. Who the hell needs a internet-connected refrigerator or coffee maker? Yet both of these things exist.
I'd steer clear of most IoT devices until the manufacturers can get behind a coherent and unified privacy and security strategy to keep their systems safe, secure, and private. We already expose ourselves too much in the name of convenience and interconnectedness. At the very least, consider only those devices that offer a true and useful benefit. And if you don't understand how to make sure it's properly secured, call someone who does.
Do you really need to unlock your front door using your phone?