This month I’m taking my own look at the Internet of things and from the standpoint of security, what I am seeing looks like crap.
The Internet of things is this concept that we are moving to an interconnected world in which all sorts of devices are on the network. Like a utopian vision, this web of devices, sharing information and constantly speaking with each other will simplify our lives. When you’re running low on eggs and milk, your refrigerator will know and add them to your shopping list. Or even better, tell the grocery store so they can add eggs and milk to your next delivery. (It’s all a little Matrixian if you ask me. I’m troubled when Quicken reminds me it’s time to pay a bill that’s only due once a year. But I guess it’s where things are going.)
The problem though is that like with many enterprise technologies, we’re racing ahead with adoption at full speed, damn the torpedoes, and security is an afterthought. We can’t wait to buy them, get them connected, and let them do what they have been promised to do…make life more efficient. Make life better. Isn’t that why people are installing Nest thermostats in their homes? Hook it up, connect it to wifi, download your app to your iPhone, and woolaa, life is better!
But what happens when these tools of automation and efficiency turn against us? Despite the Matrix reference, I’m less concerned about them becoming self-aware than I am about them getting a little help and coaxing from outside influencers. Your Nest knows your not home so it automatically goes into Away Mode. That saves you a bunch of energy which reduces your heating bill which lessens global warming and saves the polar bears…whatever floats your boat. Now how about if a thief can find out when your Nest goes into Away Mode? It might seem to them like a good time to break into your house.
We’ve been moving to this interconnected world for years now. Target just learned the hard way that the Internet of things applies to enterprises as well. System automation (in this case a networked HVAC system) provided criminals with a nice little conduit into Target’s enterprise systems. I didn’t see that coming. Should have, but didn’t. In this case it’s a supply chain risk coupled with command and control vulnerability.
Unless we begin to treat all of our devices, boxes, technologies, etc. as hostile by default, we will continue to find ourselves cleaning-up the havoc wrought by adversaries with poor intentions and friends with good ones. Problem is, when it comes to this, the skeptic in me start rearing its ugly head. We can always hope.