Staying Safe in an Internet of Things World
Greg Leffler
Observability @Splunk. Past: SRE Leader, Hiring Architect, Editor at Large @LinkedIn.
In my news video this week, I discuss two situations that should worry you about the future of connected devices: A remotely-exploitable Smart TV hack and an IoT garage-door opener maker escalating a petty disagreement into a full-blown war and practically locking someone out of their garage. Check out the video below:
The solution I mention at the end of the video is this: We can’t continue to rely on the makers of IoT devices to actually secure them properly or to adequately maintain a long-term web service, and we certainly shouldn’t expect them to operate a web service forever for free. That said, today, if the maker of your device decides to stop operating their web service, your device’s functionality ranges from “local control only” to “paperweight,” so it’s definitely worth thinking about.
The only way that we can trust our IoT devices to a) not spy on us, b) be usable as long as we’d like them to be, and c) make sure they can’t be disabled by petty tyrants is for 1) us, as individual users, to operate our own ‘cloud’ infrastructure (probably CoAP-based), and 2) make manufacturers make devices that can hook into that. (Of course, IoT device manufacturers would be free to offer their own hosted version of the service — but they shouldn’t be able to bind you to using their version.)
Setting a standard for how in-home devices talk to external control servers (and yes, there need to be external control servers – until IPv6 is magically adopted by everyone, it’s the only reliable way for devices behind consumer NAT and firewalls to be reachable by the outside world) and holding manufacturer feet to the fire to have every IoT use that standard is the only way to make sure that we know what the devices in our homes are doing, and to make sure that they’ll be usable by us as long as we’d like to, and not merely as long as the latest Silicon Valley unicorn still has its wings.
MBA seasoned in Training & Leadership Skills open to non-profit sector
7yGreat advice! I am not using the cloud at present time. I like the idea of "personal cloud" as I move forward in my present project. Making these IT ideas materialize, as per Max Nichiporovich's comment, is NOW! TY
Proud to be a part of Russian civilization...
7yInteresting article, thanks. I hope that the guy who bought the garage opener, easily switched back to original method of opening the door (or it continued operations in parallel). As far as the solution is concerned, the "personal cloud" would be the best solution for such devices according to my paranoid way of thinking. Though I doubt that many manufacturers will like it as it will leave them without "big data" on the device usage as well as it will close the door for many upsell opportunities (like service charges, for example). At the same time it can be an outstanding advantage to some IoT startups.
Independent Information Technology and Services Professional
7yThe article misses the point. Cyber Security is not simply a problem awaiting a technology solution. Instead Cyber Security is a problem of user behavior awaiting a deeper awareness and acceptance of responsibility. Simply put, individuals and organizations who cannot afford to lose data or information should not put it on the Internet. For those who can afford to lose data or information but would rather not, these users should exercise user protection by employing three-factor authentication and encryption.
CEO and Chief Technologist
7yArticle catches the crux of the IoT security problem
Systems and Network Consultant
7yWhen medical devices and more have hard coded passwords in firmware on a chip you can't change, there's unfortunately a bit more to it than running your own cloud infrastructure and knowing what a device talks to, and firewall rules. Traffic can be spoofed. Flaws in general security design of hardware is generally where the problem lies. Plenty of modem manufacturers have literally paved the way for huge bot nets, simply by exploiting said flaw and loading unremovable rogue firmware onto your home modem for example. Manufacturers most certainly know they're designing product with bad security - they and governments don't care. Dare we forget hacks on hp printers that allowed them to be remotely exploded, Cisco phones that can be turned into spy devices. IoT is just a new word for poorly designed hardware, it's nothing new, security is neglected entirely.