It’s scary enough when random cyber creeps spy on children in their cribs via internet-connected babycams.
How much more appalling is it to think that it could be Big Brother doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV?
That, in fact, is possible in the future, US director of national intelligence James Clapper said during testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the country.
He was talking about the Internet of Things, or IoT: that collection of connected gadgets that have plenty of “neat-o!” factor but which, all too often, are pockmarked with security holes.
The Guardian quoted Clapper:
In the future, intelligence services might use the [IoT] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.
As Naked Security’s Paul Ducklin explained in a Sophos blog recently, IoT refers to a whole class of day-to-day “things” that are now being offered with built-in network connectivity.
These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet.
The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects, and the situation has left security pros justifiably alarmed.
A 2014 study by HP found that 7 out of 10 internet-enabled devices were vulnerable to some form of attack, and the tested devices averaged 25 invitations to mayhem per gadget.
Because IoT devices can be connected to the internet, the people they protect are at risk from anyone who can find a connected device. That’s certainly not hard: as it is, the IoT has its own search engine.
If and when intelligence agencies get around to tapping into the IoT – Clapper didn’t specify which specific agencies are mulling the move – they’ll have quite a list of household objects to squeeze surveillance out of.
We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege.
But one person’s security hole is another person’s opportunity.
To intelligence agencies, IoT devices could illuminate an environment that they claim is “going dark” due to new forms of encryption being used in consumer products and services.
That was the conclusion of a recent study published by the Berkman Center for Internet and Society.
Rather than having evidence “go dark”, as law enforcement has repeatedly claimed, the increasing number of IoT devices present ever-more opportunities for surveillance.
Berkman fellow and cryptographer Bruce Schneier:
We’re questioning whether the ‘going dark’ metaphor used by the FBI and other government officials fully describes the future of the government’s capacity to access communications.
We think it doesn’t. While it may be true that there are pockets of dimness, there other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.
Of course, the US isn’t the only country interested in exploiting our poorly secured devices to spy on our activities and communications.
In the UK, the Investigatory Powers Bill—better known as the Snooper’s Charter—would put a legal seal of approval on government hacking of any device in criminal and terrorism investigations, including even Internet-enabled toys.
Nor is Clapper’s the first public admission by a government official that US intelligence agencies find the IoT compelling vis-a-vis surveillance.
In 2012, then CIA director David Petraeus called the surveillance implications of the IoT “transformational.”
Wired quoted remarks he made at a summit for In-Q-Tel, the CIA’s venture capital firm:
“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies, particularly to their effect on clandestine tradecraft.”
Image of IoT courtesy of Shutterstock.
Martin
Isn’t the idea of an IoT tea kettle more than just slightly silly?
The obvious way to lessen your IoT hackability footprint (to coin a term) is to use non-IoT devices instead. Many devices are individually programmable; your coffee maker and your furnace thermostat come to mind.
Other devices are inherently automatic, requiring no manual activation. Lights can turn on at dusk and turn off at dawn. There are lights that respond to motion detection.
In short, don’t go cuckoo for Cocoa Puffs whenever a new whiz-bang technological gadget comes along.
On the other hand, the IoT offers devices with new capabilities, such as baby monitors that can be accessed remotely. The caveat is not to buy on impulse. Read online reviews, with an emphasis on device security.
Terry
Yet more examples of institutional diktatism from Western institutional dictatorships. Overthrow the latter and replace them with democratic institutions that do what the democratic majority wants them to do and do not do what the democratic majority does not want them to do. It’s democracy, stupid.
David
Looks like George Orwell’s telescreens are finally with us.
Andy M.
The other side of the coin is, if manufacturers are going all cuckoo for Cocoa Puffs in producing all the IoT toys, at least make some (actually A LOT of) effort at security. Some of the crap out there is simply mindless, as if they are thinking no one’s going to bother hacking this stuff.
But, yeah, quite a bit of the IoT stuff makes one scratch the head and ask “Why?”
Tom
I recently gave a class on IoT to non techs. I mentioned that I didn’t see the need for some IoT devices like a slow cooker, someone in the class said that they would love a slow cooker they could control from their phone. I don’t think that “non techs” realize the inherent security problems with IoT, for them it’s convenience.
I do have a question about the Amazon Echo. Amazon is a relatively savvy tech company, are the voice requests to Alexa encrypted? But even if they are, is Amazon basically eavesdropping on conversations near the Echo?