Securing the Internet of Things
Article was first published April 2018.
Editor’s note: "We first published this article as a spotlight feature of the 2018 Internet Health Report, and are sharing it again now as part of our *Privacy Included: Rethinking the Smart Home special edition. It explains why smart home security matters to the health of the internet, even if you don’t own any connected ‘things’ yourself. There is no shortage of stories about security gone wrong – and this article presents more questions than answers. But it’s also true that in the short time since its publication, a lot of thinking and action has evolved about what to do." – Solana Larsen
Somewhere in Vietnam, a man is searching for a shoe box in a storage room, a woman is slicing bread in Argentina and a child sits restlessly on his mother’s lap in a waiting area of what appears to be a pharmacy in France. A cow is being milked in Germany.
They are being filmed by online security cameras without passwords assigned. They surely don’t know they can be watched by anyone who looks for insecure cameras on the internet. Whoever set up the camera could choose to restrict access with a password. But without that protection, they are just there, broadcasting via the network. They don’t have to be hacked.
Now consider that the number of internet connected devices is expected to double from 2015 to 2020. That’s 30 billion devices worldwide. For every device with either no password or a bad one, the internet becomes a little more fragile and dangerous. But people buy things, connect them to the internet and never think about securing them as long as they work.
Fitness trackers, kitchen appliances, light bulbs… This year, we will be listened to, watched, recognized and recorded by phones, digital assistants and cameras like never before.
Data will be collected that is vulnerable to hacks and breaches. We could worry about creeps on the lookout for unsuspecting naked people, or financial fraud, or invasive advertising or political manipulation. Do cars share our driving habits with insurance companies? Do vacuum cleaners trade in information about the layout of our homes? To most people, these are hypothetical risks, hardly outweighed by the enjoyment of the Internet of Things (IoT).
The reality is that the “attack surface” of the internet is growing and that we have already had a taste of the nasty consequences.
In December 2017,three young men pleaded guilty in a US federal court to creating a strain of malware (malicious software) called Mirai in 2016 that enslaved thousands upon thousands of webcams, baby monitors and other devices with factory default usernames and passwords that performed targeted “DDoS attacks” to bring down websites and networks. When the authors publicly shared the code to obscure their own identity, Mirai botnets multiplied, and began competing against each other (and still do) for control over devices around the world, eventually succeeding in temporarily shutting down parts of the internet in the US and Europe, through a large-scale attack on the internet performance management company Dyn. In Europe, banks and internet service providers were extorted. In New Jersey, a university was.
Offering “security services” (veiled extortion) was part of the devious original plan of Mirai’s authors, as was racking up dollars by creating fake botnet traffic on online ads. At the time, some security experts suspected government actors like China or Russia must be testing the resilience of the internet. The actual villains were less ominous, but the risk of all these insecure “things” still exists and the scale grows bigger with every new connected device.
For all the hype around gadgets and home appliances, many of the industries most impacted by IoT will be health care, transportation, energy and utilities. There are great opportunities for improving the efficiency and quality of public services, health and infrastructure.
Inexpensive hardware and decentralized innovation is also delivering the internet to more people, in more shapes and forms than ever. While that is something to celebrate, unfortunately in today’s throwaway culture, internet devices are rarely designed to stay safe and secure over time.
Since all software is vulnerable to attack or malfunction with age, automatic software updates are a must. Small companies selling cheap IoT devices, without the resources and expertise of companies like Google, Apple or Amazon, will find this harder to do on their own.
Who do we hold accountable when the path from manufacturer to consumer is so opaque? Could there be regulations and industry codes of conduct to ensure the use of strong, random and unique passwords on internet devices? Could there be technical security devices that form a shield around a person’s personal IoT network? Could there someday be dependable trustmarks for IoT – like the labels on organic food or energy efficient appliances? What role is there for designers? These and many other ideas need research, exploration and further discussion in 2018.
The key problem is that IoT is growing faster and bigger than we could have imagined. Some of the risks posed are personal (like being embarrassed or perhaps being injured by a hacked car) while other risks are at the system or environmental level (like hospitals or the electric grid being taken down). Either way, it’s going to be costly to fix when things go wrong.
One of the great opportunities of the moment for advocacy is in the home – being smarter consumers and especially advocating as parents on behalf of children who ought to be protected from insecure toys that contain hidden microphones, cameras or other personal data recorders. Dolls like ‘Hello Barbie’ and ‘My Friend Cayla’ that listen and speak to children have attracted negative headlines for being easily hacked. Germany is one country that bans Cayla as a “concealed transmitting device”. Where else could traditional consumer safety regulations be leveraged?
We need to grapple with how we handle these issues as a society today: what we can leave up to industry, what we can leave up to consumer choice and what we need to regulate.