The problem with the Internet of Things is the things

CCTV camera

The “Internet of Things”, or IoT, refers to the ever expanding offerings of traditionally non-Internet connected things that can now be connected to the Internet. The array of things you can connect to your home wifi network is staggering and, to be honest, pretty dumb. Internet connected toasters, light bulbs and even hot tubs are all available to lurk on your home network and send god only knows what data about you to god only knows where.

Your home network should be a safe place where only trusted devices have access. Traditionally, this has meant your own computers, your own smartphones and perhaps a few other devices such as gaming consoles. The problem with attaching a new device to your trusted network is two-fold: does it make attacking my network easier and what is it doing with the data it collects?

The attack vectors

Any device attached to your network can see all the other devices and, potentially, have access to them. If you’re sharing your budget and medical documents with your wife’s computer that’s fine. But is it possible to really keep track of a large number of often innocuous Internet connected devices that you’ve introduced to your network over time?

Additionally, each device connected to your network that talks to the outside world introduces a new attack vector and heightens the vulnerability of your safe network to some degree. Most of us run anti-virus, ad-blockers, and possibly ever firewalls on our PCs to keep bad guys out, but what does that toaster come with? Does it have any security software installed to prevent itself from becoming the weakest link in your network?

IoT devices are built by device manufacturers. This may seem like a self-evident statement and perhaps it is, but the point is that light bulb people build light bulbs and hot tub people build hot tubs. Their area of expertise is in the thing, not in the Internet which means their ability to build and maintain the Internet part of their device is a secondary concern. Internet connected CCTV networks, printers, and even cars have been hacked over the Internet largely because manufacturers do not have the Internet mindset that is born and flourishes under a healthy paranoia level 11.

The data collection

There’s a segment of the population that does not understand how valuable their data is. Some will say “who cares if my toaster sends data out?”. People who hold this view lack imagination which means they have trouble understanding how data correlation works. Perhaps your toaster is reporting that it routinely makes 4 pieces of toast every June when you’re vacationing away. Your insurance company might want to know that data because it shows someone else is occupying your house. Maybe your Fitbit reports substantially less exercise than you’ve reported to your doctor. Perhaps your car location is giving away your surprise birthday plans for your spouse. This isn’t a ‘scare post’ but with very little imagination it should be easy to derive many situations where you’d prefer your data stayed home.

There’s even a large market for ‘third party data’ which means that some companies will sell your data to other companies for profit. This is where data correlation comes in and large data sets from disparate devices can be used to draw those correlations. The pharmacy loyalty app on your phone may show you recently filled a prescription for hormone drugs the same day as the data from your car shows that you visited a clinic which was proceeded by three days of rest as reported by your FitBit. These are things that you may wish to keep private but in the face of correlated data from your IoT devices, it’s hard to do.

In an ideal world companies would start with the Internet bit. They’d design a device that uses current security measures such as encryption, key-signing, non-standard ports, and removal of any services that do not have to be present for the device to function. They would then tack their Thing to it and end up with a really nice Thing that they’ve spent a long time building, connected to the Internet in a sane and secure way.

I don’t believe that is likely to happen any time soon, or perhaps at all. The IoT is populated largely by legacy things that have existed for a long time and now have the Internet component bolted on in a haphazard way stemming primarily from a desire to market an Internet connected version of the device.

Since even I am not immune to the lure of the IoT, here are some of the things I practice to minimize the threat they pose to my home network and privacy:

  1. If there are configuration options available to me to change ports or default passwords, I do it.
  2. I have a router that has a ‘guest’ network that operates on a different subnet than my home network. My IoT devices use the guest network so that they can only see each other.
  3. If a device can use either BlueTooth or WiFi, I use the WiFi option (on said guest network) to minimize access to my phone.

I still don’t feel terribly secure since I generally can’t be 100% sure what the device is doing, but hackers are lazy and if I can avoid being low-hanging fruit I will.

#infosec #security #iot