Last week was week four of Cybersecurity Awareness Month (CSAM) and the theme was Your Evolving Digital Life.
It’s an important theme because, in case you hadn’t noticed, your digital life is evolving, and fast.
The vast international network of computers we call the internet is gobbling up a lot of new things that didn’t used to be computers like fridges, baby monitors, TVs, kettles, cars, light bulbs, and power stations.
The resulting melange of smart stuff is called the Internet of Things (IoT) and it’s opening up a universe of new possibilities to everyone from consumers and corporations to hackers and criminals.
The Internet of Things Security Foundation‘s mission is to make the IoT secure. It has this to say about the IoT:
The resultant benefits of a connected society are significant, disruptive and transformational. Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.
You can say that again.
The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking in to it.
A 2014 study by HP found that seven out of the ten internet-enabled devices are vulnerable to some form of attack and the tested devices averaged 25 invitations to mayhem per gadget.
We get a an idea of what’s going wrong by turning to OWASP (the Open Web Application Security Project) and its list of the top ten IoT vulnerabilities, which reads:
- Insecure Web Interface
- Insufficient Authentication/Authorization
- Insecure Network Services
- Lack of Transport Encryption
- Privacy Concerns
- Insecure Cloud Interface
- Insecure Mobile Interface
- Insufficient Security Configurability
- Insecure Software/Firmware
- Poor Physical Security
What the list tells us is that under the hood the Internet of Things is still very much the Internet of Computers. Some might be embedded in fridges and thermostats but they’re still bundles of hardware, software, ports and interfaces.
There is nothing on this list of the top ten problems that somebody running a server sat inside a good old fashioned data centre (or Cloud) wouldn’t worry about and nothing a criminal who wants to grow their botnet wouldn’t show an interest in.
With so much experience of securing networked computers and services out there already, the IoT could have hit the ground running with security baked in.
The fact that so much of it appears not to is grounds for serious concern and my guess is that something else, something very familiar, is playing out there.
It seems to me that each major shift in computing that I can remember; from PCs and home networks to the web, WiFi and smartphones has happened along roughly similar lines.
It starts with a land grab where new features and being first to market matter more than anything else, particularly security, and that can leave users dangerously exposed.
That exposure may be obvious to security researchers from the get go but it doesn’t become obvious to the general public, or get seriously addressed, until we suddenly see lots of victims. If history repeats itself, then the IoT’s slammer worm or Heartbleed moment is sadly, still ahead of us.
It’s bad enough when it’s your laptop or phone that’s at risk but the potential consequences of losing control of your cameras, central heating system or car could be far worse.
What the IoT needs is vendors prepared to put security front and centre and consumers who won’t connect a device to the internet unless security is its number one feature. Right now it feels like we don’t have enough of either.
NCSAM is run by StaySafeOnline.org and its mantra is Stop. Think. Connect.
When it comes to Your Evolving Digital Life we’ll only get the IoT we want if we’re ready to leave it at Stop. Think.
Image of tangle of wires courtesy of Shutterstock.com
Bill
Call me old fashioned but I don’t actually want all my appliances connected to the net.
Dan
You are not old fashioned, you are just practicing common sense. I also do not want all my things on the net.
justiceISfake
you are not alone…
ed
Agreed considering most IoT thing security seems often be an after thought.
Dave B.
More like a lack of thought
gebildete
I can’t say I am old-fashioned. I use the apps which are connected to the Internet because almost all the educational apps require the Internet connection. I upload some data on the konstruktor too and don’t feel that my data are unsafe.
Aarti Patole
Thanks for sharing
Kemberly Sumigawa
I guess i will be the paranoid one. All of our technologies have talen huge leaps in the last decade, while our privacy rights have been being stripped away even faster. Nothing good will come from the IOT. Too many people hop on board without a thought to consequence. Google search, alexa, smart tvs and whatever other garbage is out there, is recording. Always. What kind of info do you think they”sell” ? It cant be just your name, address and phone number….there used to be phone books for that. Got an innovative idea that you need to look up a couple things on google before you take it to market? Have you talked to a friend about it in front of alexa? Now once everything in your home is hooked up, big bro super steroid version will be all up in you….not just listening like before, he will be able to see, hear and take control of anything. Including you. If you dont abide by the gameplan, you might just have to replace your fridge, the dryer, maybe a coffee maker too. If that didnt get the message across maybe you get sent a live video of your teenage son or daughter in your smartcar that they arent driving and arent paying attention to the fact that they are nowhere near where they are supposed to be cause theyre chatting with friends or face in their cellphone because they dont habe to actually drive. Boom into a tree.
There are so many more scenarios of why the IOT IS JUSTA TERRIBLE IDEA.
I would really prefer to have 1 tablet and the rest of my things and my life analog. I like dumb “things”