By Paul Romeo, NYSTEC Information Security Consultant
I recently attended a training class where, during the break, one of the instructors told me how excited he was about the new refrigerator he’d just bought, which was going to be part of the Internet of Everything (IoE). From his smart phone, he said, he would be able to inventory the items in his refrigerator and know when he ran low on key items such as milk, eggs, and, of course, beer.
I said he might want to rethink putting beer in the new refrigerator, because he might not be the only one with deep insight into his dietary purchases. His health insurance company could have access and observe his sugar, fat, and sodium intake by monitoring his purchases—and even potentially raise his health insurance rates based on that data.
The instructor replied, “I never thought about that. I’ll have to keep my old refrigerator for my beer and junk food.”
What is the IoE? Is it something great, or should we be worried? The answer is likely a little of both.
The IoE essentially is the growing trend of connecting everyday objects to the Internet. These devices include everything from mobile phones, wearable devices, thermostats, and home entertainment systems, to coffee machines, refrigerators, and automobiles.
While there are many benefits to having items connected to the Internet, such as being able to inventory your refrigerator before you leave work or turn on the oven before you get home, there are privacy and security concerns that consumers must consider. It is important to understand that when items in your house are connected to the Internet, they are potentially accessible to the entire world of Internet-connected users—and the data they collect on you becomes valuable.
Read that privacy agreement on your new refrigerator carefully!
Cameras and Microphones
Think about all of the products in your house that may have a camera and/or microphone: TVs, videogame consoles, toys, and, of course, computers and smart phones. It is important to be aware that your private, in-home conversations may not be so private. Unfortunately, sophisticated attackers next door, or on the other side of the world, may be able to hack into your home network. If that happens, they could access your connected devices and compromise your data.
How can you protect yourself? If you do not have cyber forensic tools at your disposal, or don’t know how to use them, there are still some simple, cost-effective techniques to protect your privacy:
- Secure your home router and wireless network. Don’t just look for the quickest and easiest way to get a home router working; instead, take the time to enable security such as strong passwords, firewall rules, and the use of encryption.
- Unplug or turn off the device, or disable the microphone when you are having private conversations.
- Cover or turn the camera away when you do not want to be seen.
Others on the Internet may be able to access personal devices that are connected to your home network, or any wireless network in range. Hopefully, new IoT devices will be manufactured with basic security controls in place to restrict access. However, we can’t assume there will be built-in security. That’s because IoT devices, including home appliances, will have the same—if not more—bandwidth and energy constraints that all devices and applications face, which limits the amount of security that can be built in. Software is inherently insecure (new malware variants are being created at the alarming rate of nearly 1 million per day), so it’s well within reason to expect that home appliances connected to the Internet will be at least as vulnerable to cyberattacks as computers already are today.
It will also be more difficult to patch these devices, as they often run embedded firmware that is not easy to update or maintain.
Cars connected to the Internet may seem like a terrific way to help you be safe—your car could detect the sudden appearance of, say, a child’s ball rolling into your path and apply the brakes before you see the child running into the street. But as this article reveals, it’s possible for the manual controls in a car to be overridden by someone miles away from the driver. Among other things that could be done remotely: turn on the radio and air conditioning, even control the steering.
Along with this sobering news, remember that as auto manufacturers test driverless car features, hackers may see new opportunities for stealing and controlling cars from a remote location.
There are countless lives saved every day by Internet-connected technologies that enable early detection of heart conditions and other maladies. That being said, proper security needs to be designed into these medical devices, which may be vulnerable to malware and other cyberattacks.
In every decision, there is a cost-benefit analysis to be made. When it comes to the IoE, it is important for consumers to fully understand the risks before they make a purchase. The well-funded marketing teams of large corporations producing Internet-connected devices will understandably emphasize the benefits of the devices they sell. It’s up to consumers to look into the risks—and know how to manage them.
It may be worthwhile to stay off the bleeding edge of technology and wait until IoE devices are thoroughly tested.