In the run up to Halloween, it is only fitting that DataIQ tells some scary stories. Did you know that innocuous objects that you might have in your home can turn into zombies? A zombie, more commonly known as a bot, is a computer or device that is connected to the internet and has been taken over by a cyber attacker who controls it remotely. A collection of these bots is called a botnet and a massive botnet attack took place in October 2016 on the Dyn servers. This resulted in an outage bringing down websites such as Twitter, CNN and Netflix. Scary stuff.
For an acquaintance of Dr James Stanger, chief technology evangelist at CompTIA, a zombie attack caused him a real nightmare. He went off-grid for a few days and when police checked his PC for clues as to his whereabouts, they found that some of his internet of things devices had stored child pornography. Upon his reappearance, he was promptly taken in for questioning. However, the authorities realised that man’s connected devices were unsecured and were part of a botnet controlled by people who traded indecent images.
While the above is a tale of security, one’s privacy can also be compromised by the use of unsecured connected devices. In February, Germany ordered owners of a connected doll to destroy or disable the toys. It was withdrawn from sale after the toy was classified as “illegal espionage apparatus,” capable of spying on children.
Nigel Harrison, co-founder of Cyber Security Challenge UK, said that an internet-connected fridge is innocent enough if it just tells the owner when they are running low on milk or eggs. But, if that fridge is authorised to make additions through the owner's account with an online supermarket, hackers might be able to use it as a way to access personal and financial information.
Stanger gave the hypothetical example of IoT-enabled shoes. A very forward-thinking shoe company may want to make a pair of shoes specific to a certain customer’s foot shape and gait and so puts trackers in their shoes. “That is really cool, but imagine if that information about your personal habits, where you’ve gone, becomes available to the bad guy. Now they know where you are, where you tend to go, they can make predictions about your behaviour and what you do. They can begin very easily to do things like stealing identity,” he said.
According to Stanger, once a connected device has firmware, storage and processing, it can be taken over for good or ill. And these devices are filling our homes at great speed. A GMSA survey of 2,000 people in the UK, US, Japan and Germany found tha,t in the next five years, 37% said they would be likely to use smart appliances and 25% to use smart energy meters.
Stanger says this is because we are currently in the middle of a rush to market of connected things. He said this is due to “manufacturers making nifty gadgets that we all want to buy,” and the same manufacturers wanting to crunch the data generated by those devices as it represents a new revenue stream.
He added that in this rush, time isn’t being taken to build high-level security into the devices and software is being introduced that has weak authentication. Harrison concurred, saying that part of the problem lies at the design stage with developers quite often not designing with security in mind.
"Military contractors chuckled when asked if they had a back door into IoT devices."
The types of connected devices in the home that Stanger is most cautious of are those that require the user to sign up for a feature or a service. He said that any device that learns and uses artificial intelligence should cause a consumer to ask themselves: “Do I really want all of my information to be stored, processed and used?”
“Anything that is invasive and day-to-day in tracking you, is something to worry about,” he said. He also pointed out how easy it is to hack into connected home devices. Researchers for a military contractor simply chuckled when Stanger asked if they had been shown a back door to hack into devices.
Despite the incoming GDPR, Stanger does not have a high level of trust in IoT devices. He said: “In Europe we have GDPR, we have the right to be forgotten. I am a little leery about how easily we are going to be forgotten once all of our information is in these things.”
And he is not alone as the same seems to be true of the British public. A recent survey found that 52% of Britons were concerned that IoT home devices would collect data about them without their knowledge.
"Roomba may share the maps of users' houses (with their consent)."
Trust is an important issue in relation to connected devices as they are designed to learn and adapt to very intimate details about the user. The smart security system will know the time they leave and return to the house. The smart fridge will know what type of diet they are following. The activity tracker will know how much exercise the user is doing and how much sleep they are getting per night.
The smart vacuum cleaner - like iRobot’s Roomba - will know the floor plan of the house. The CEO of iRobot said his company may reach a deal to share the maps of users’ houses – with their consent – freely with third parties. It would be interesting to see how he, his company and its things gain the trust of its customers to get that consent.
Humans earn each other’s trust by demonstrating honesty and reliability, but what does a machine have to do to gain our confidence? According to Stanger, the benefit to the manufacturer is they constantly receive feedback on how their product is used and so can continually improve it.
Fortunately, there is a solution in sight to this nightmarish scenario. Although Stanger equates privacy and security in connected home devices as being like the wild, wild west, he said it won’t be long before someone comes up with an easy to use, centralised identity management system. This system, that might use blockchain, will give choice back to the consumer about what activities they want their connected devices to participate in with their data.
Furthermore, if manufacturers get a reputation for creating devices that are easy to compromise, Stanger said they will soon put that right and make security a more integral aspect of their products design, in a bid to retain customers.
In the meantime, he suggested that consumers think about whether the trade-off between convenience and the risk of a privacy breach offered by connected home devices is actually worth it. He said: “At some point, we should consider the convenience of these IoT devices. Maybe we don’t need them. Maybe we can just avoid using some of these devices until we really know what they are doing.”