As a wise man once told me, the two most important reasons people invest in security are: Fear and Compliance. Of course, there are a few smart people who invest in security because they actually think it’s a good way to manage risk. But some might still argue that this falls under the Fear category. In any case, I’m going to have to appeal to your sense of fear now, since there are no regulations that will force you to spend any time or money on the Internet of Things.
Smart devices are coming
If you haven’t heard the term the Internet of Things, you may have already been exposed to the concept. That is, one day in the not too distant future, just about any object you can imagine will be available in a Smart version… New and Improved! the ads will read. Anything labeled as being Smart will be expected to be able to connect to the Internet and communicate with you, of course. But it also implies that these Smart things will be able to communicate with other Smart things via wireless communications. Sounds great, right? Well, not so fast…
What’s the big deal?
While you will soon be hearing about the benefits of having your fridge communicate with your oven, your alarm clock, your electric razor and your lawn mower, there just might be a down side to making everything around you Smart. And you need to understand that downside before you take the bait. Here are a few things you should know:
1- Once again, no room for security. While Smart devices will be worth more than dumb devices, their manufacturers will still be in price competition. So, they will have to remain as low cost as possible. Guess what this means for security? It means none of them will be compelled to build in much (if any) security to protect the devices from leaking sensitive information like your wi-fi network password, or from being vulnerable to hijacking. (Imagine getting an email from an attacker saying they just took control of your furnace or air conditioner, and want you to pay them $79 for the privilege of regaining control of your household climate. Don’t laugh; it could happen!)
2- Little by little, we fall into the trap. The information shared by devices may not seem that sensitive, but just as the recent outrage has grown over “metadata” surveillance of personal phone calls and other online activities, little bits of information about everything you do will paint a pretty clear picture of your private life. You might be trying to convince your lawyer that you were with your kids, while your ex-spouse’s lawyer obtains a report on your personal possessions that had interactions with other devices in a downtown night club. It could be perfectly innocent, but this kind of data could be used in any case against you.
3- You get what you pay for. Small, cheap, Smart devices will not be sophisticated enough to update themselves like your computer does to protect itself from new virus threats or attackers. So, you’ll likely end up throwing out the first version you bought because it has a dozen security holes in it and exposes your entire household to outside attack.
What can you do about it?
These are just a few of the reasons you should start paying attention to the security and privacy side of stories about the Internet of Things and Smart devices. Here are a few things I recommend people do when you are making a wish list for your next holiday season:
1- Segregate. Consider investing in multiple, decent quality, wi-fi routers (they’re dirt cheap now) to create different networks for your home or office. Use one for sensitive data like your computers, tablets and smartphones. Then use others for networks of lights, or home automation devices. This way, if your cheaper devices get attacked, your more sensitive devices won’t expose your more valuable assets.
2- Invest. Don’t cheap out on Smart devices. The cheapest Smart devices will have virtually no security, and you will probably have to throw them out and upgrade sooner rather than later.
3- Don’t be lazy. Consider NOT automating everything you can. In my view, our laziness is what is making us more vulnerable than we need to be. The more we rely on Smart, wireless devices, the more we are at risk. Is it worth it to automate everything, just to be cool or hip?
If you’ve already started dabbling in wireless security cameras, motion detector switches or light bulbs, try to imagine how these things could be used against you. It may not seem like anything to worry about right now, but the next thing you connect to your network could change the vulnerability of your network and personal information.
Let me know what you think. Am I fear-mongering? If so, what makes you feel secure about the coming Internet of Things?
If you just think I’m on a rant, why not check out what other security folks (like Bruce Schneier) are saying about how badly the Internet of Things will likely come crashing down?
The Streetwise Security Coach