Increased security concerns as the Internet of Things provides the offering of new services on personal devices and connected homes.
The Consumer Electronic Show (CES 2015) this month was swarmed by dozens of new products, from smart watches to a speaker-equipped robot for your home. The offerings are designed to provide consumers and companies endless information on their world to computers, tablets, or smartphones. That can provide interesting and even important data, but how much is being done to make certain that it remains private and secure?
For example, your mobile phone can connect with electronic locks that provide access to your front door by communicating over the internet. Lock companies obviously care about security and privacy, but there is little or nothing in their product descriptions about network security. (August, a new lock company that started out making internet-based locks does a better job of explaining the security issue.)
The problem created by locks that could be broken into by hackers is an obvious problem. But the potential risks of IoT (Internet of Things) enabled devices, are everywhere. Researchers are investigating the ability of attackers to get into the connections between wireless medical devices such as heart pacemakers and networks. Logan Lamb, a security researcher at Oak Ridge National Lab, told Wired, about the risk of alarm systems and their wealth of resident activity:
“So as people go about their days in their homes, these packets are being broadcast everywhere,” he said. “And since they’re unencrypted, adversaries can just sit around and listen in. Suppose you have a small [monitoring] device to chuck in a [rain] gutter. With minimal effort you could tell when someone leaves the house … and establish habits. I think there’s some value there and some privacy concerns.”
Plamen Nadelchev, a Cisco distinguished engineer, warned at the Privacy Identity Innovation 2014 conference that while we will get benefit as more and more of the elements in our lives are connected, we will also need protection. “I can predict that in the next three years, we are going to see ten-fold increase in the number of devices, not only computers, but smart watches, smart clothes, smart shoes, etc.,” he says. “That creates a different challenge for every enterprise practitioner. People are going to bring their work, and bring their shoes and clothes. So they can become a secondary source of attacks. We see attacks from refrigerators and from toasters. This changes the whole security challenge and we need to prepare ourselves.”
With earlier wireless devices, there was little need for security other than to use encryption between the devices to prevent snooping. But that is increasingly inadequate as both the volume and sensitivity of connected devices rises, for example a door lock that could be opened by a house thief or a TV in your bedroom that snoops on conversations.
Some newer devices are already building considerably greater security assets into devices. For example, extensive efforts have been made by Nest, a unit of Google, to let the owner prevent individuals from receiving or generating content from the DropCam video and audio source. For example, the owner controls whether data captured is stored on DropCam’s files at Amazon’s S3 service on only sent to the customer. Third applications are not allowed access to video. The loss of a username or password leads to automatic segregation of any content on file until the access has been corrected.
It’s not perfect. A clever hacker may still be able to find ways to attack assets that are supposed to connect properly. There is a tradeoff between the security and privacy protections and there is danger that the security measures will impede usability.
For years, systems involved violations of security by computers talking to each other across networks. The computers were under human controls, which made it possible both for the human beings to supply identification and to notice violations. It’s much harder to tell what wireless devices are up to, whether information is being stolen by crooks or, has depressingly been the case, information is being captured by the maker of the device without the customers explicit permission.
Currently, the efforts appear to focus on security, but over time, privacy is likely to become an issue for these IoTs. And while security is primarily an effort of hardware and software priority, privacy will likely require more of an issue for device owners and users. As Nandini Jolly, CEO of PatternBuilder security tools, says:
“At the end day, the users, along with policy makers, along with regulators, along with device makers—we all have to be part of an ecosystem that addresses this. I don’t have a Fitbit, but I have an Android phone because I am glued to my phone all the time. When I am running, I have Exercise Mate that panels how lousy my day is, how bad my run will be. However—you know it’s got my age and my gender—there a button that allows me to press it and get it to monitor the range of of the 25-year-old I profess to be when I exercise. I never press it.”
Used with the permission of thenetwork.cisco.com