When your toaster becomes a target
The Internet of Things.
The Internet began in 1969 with the exchange of a simple message between two computers. Since then, the Internet has grown rapidly, connecting people to other people and to electronic resources around the world. More recently, a wide variety of devices have begun to be attached to the Internet including household appliances, vehicles, factories, smart homes and personal health monitors. This new network of machines has been coined the “Internet of Things.”
With widespread access to the Internet combined with falling prices in computing, it is predicted that billions of new devices will be connected in the coming years. The Internet of Things opens up a vast array of nifty new possibilities: cars that can report engine performance to your mechanic, personal health monitors that send data to your physician, environmental monitoring of air, water and soil, coordinating traffic and alerts about road conditions, and “smart homes.” One example of a smart home device is the “smart refrigerator,” which keeps your food cool but also monitors the food inside, tracking best-before dates and reminding you to pick up milk and bread on the way home. There are smart thermostats, smart blenders, smart TVs and even a smart tampon (one that connects to your phone via a Bluetooth link).
However, while smart and connected devices provide convenience and other benefits, they come with a variety of security and privacy concerns. Just like your personal computer, Internet-connected devices are vulnerable to computer viruses and attacks. For example, what happens when your smart blender gets hacked? One security report identified potential vulnerabilities in smart fridges. Some articles have described how cars can be remotely hacked to gain control of brakes, door locks, steering and even seat belts. Other reports describe attacks that could theoretically be made to pacemakers and insulin pumps equipped with wireless access. Larger attacks could possibly target public utilities such as power grids and water treatment plants.
Security by design
A recent news article reported a new threat called “BrickerBot,” a malicious software program that targets certain Internet-connected devices. The attack corrupts internal storage in the device effectively making it unusable and turning it into a “brick” (hence the name). Other attacks take control of household devices (turning them into what are metaphorically called “zombies”) and using them to attack other computers. Large networks of “zombies” called “botnets” can be collected and used to send spam e-mails or perform “denial of service attacks” against other targets.
What’s more, these devices are often compromised without the knowledge of their owners. Many devices are left vulnerable to such attacks because they have factory-default passwords which people neglect to change, or they are not properly updated or patched when security holes are uncovered.
The second concern relates to privacy. How is the data being collected by your appliances being used? A recent report exposed how certain smart TVs log what their owners watch and how the data could then be sold to eager advertisers. One can only imagine how advertisers would love to know your viewing habits along with the contents of your fridge and the places you drive your car. No doubt your insurance company would be delighted to have access to the data from your wearable health and fitness tracker or data regarding your driving habits. Devices equipped with cameras and microphones bring up the creepy possibility of someone eavesdropping or spying within your home.
To avoid these issues, engineers and companies developing smart devices should start with “security by design” and take responsibility for security and privacy rather than leaving it as an afterthought. Devices should automatically manage security updates and not be configured with default passwords. Manufacturers should put the interests of their users first by minimizing the data they collect, treating it securely, notifying users about what information is collected, and providing choice about what and how information is used. And finally, consumers should have the choice to simply disconnect their devices from the Internet. I am grateful for the new possibilities wrought by the Internet, but I will be content if my blender and toaster are not part of the Internet of Things.