Christmas, 2013 will be a banner year for the Internet of Things, as smart gadgets appear like mushrooms under the Christmas tree. But get ready for a privacy hangover, as poorly designed, and insecurely deployed gadgets turn on their masters.
Just in time for the holidays, I received an e-mail by way of Electric Imp. If you’re not familiar with the “Imp,” (my phrase, not theirs), it’s a [PAAS?] that makes it easy to build and connect smart devices.
Among the cool gift ideas Electric Imp was promoting: a whole line of products produced by the company Quirky along with GE under the “Wink: Instantly Connected” products banner and available at Best Buy and other stores. There’s Egg Minder, an Internet-connected egg tray that tracks how many eggs you have left in your fridge, and how fresh each of them is. Not your thing? How about Nimbus? It’s a “customizable Internet-connected dashboard that lets you “track the data that affects your life, from commute times and weather to social media and more.” Nimbus looks like someone ripped the gauges out of a Corvette and hooked it up to the Internet. For your kids, there’s Porkfolio, a piggy bank that “connects to the Internet and lets you track your balance and keep an eye on savings via your smartphone.”
Nice! Or is it? The truth is we don’t know. But I have a sneaking suspicion that consumers will be suffering from an acute Christmas hangover – and one that doesn’t have anything to do with eggnog.
Rather, I think that the weeks and months following the Christmas holiday will reveal that a number of so-called “intelligent” products that were pushed to consumers in time for the holiday season are quite dumb when it comes to security and privacy. For one thing, the barriers to making connected devices have never been lower. In fact, companies like Electric Imp and Thingworx make it easy for even novice developers and start ups to cobble together a new smart product, providing an IP address to some previously inanimate object.
Back in October, I wrote about serious security issues that were discovered in the IZON home surveillance product made by a Utah firm, STEM Innovation. Those problems include the use of a hardcoded “root” administrator account and a default configuration that leaves the IZON listening on pretty much every available port, including Telnet.
Responding to my inquiries then, the company’s CTO, Matt MacBeth explained STEM’s slow response to inquiries about the security issues with IZON by explaining that they were busy “knocking stuff out” for the holiday season. Will those new devices share some of the same security and privacy flaws as STEM’s first generation of products? I think the chances are good that they will.
Even if STEM Innovation cleans up its act and its products, an army of lower-quality and less accountable competitors awaits– many headquartered outside the US. Speaking at the Amphion Forum in San Francisco this week, researcher Nitesh Dhanjani presented the results of some of his research on “smart” products like the Hue Wireless lightbulb, the Belkin WeMo baby monitor and WeMo power switch and the Belkin NetCam.
Manufactured by two large and established industrial firms, the Hue and WeMo products were still found to have poorly thought-out or implemented security. The WeMo baby monitor, for example, allows any mobile device on the same wireless network to connect to it, provided that device has installed the babymonitor mobile application.
However, once that device has authenticated to the baby monitor, it is treated as a trusted device forever. That means that house guest who hopped on your wifi and listened in to your “smart” baby monitor while in your home could continue to listen in from, say, Japan or Australia, long after the dinner dishes have been washed and put away, Dhanjani told the audience.
“I can understand from a ‘business use case’ that if you buy a baby monitor you want it to just work,” he said. But as insecure devices proliferate in our physical environment, the interactions between them become more difficult to predict. That, in turn, makes it easier for malicious cyber criminals to penetrate further into our lives, he warned.
Malware that is programmed today to search out vulnerable Windows PCs will, in the not distant future, also scan networks for exploitable “stuff” – thermostats and HVAC systems, intelligent power switches, refrigerators and other consumer appliances, Dhanjani said.
Often the cure for what ails smart devices is simple: stronger authentication schemes or default configurations that harden them against casual attacks. But with few guidelines on how to properly design and deploy such products and only the scantest regulatory oversight, the lure of money and potential profits is almost certain to cause companies to focus on feature development over security.
Tens- or hundreds of thousands of these devices will be making their way into homes and offices in the coming months, with the Christmas tree simply the launching pad for many. But the security and privacy consequences of introducing those devices will be felt long after the tree has been hauled to the curb. Count on it.