The Internet of Things and security

7 06 2015

Like so much in the world of computing if you ask 5 people for a definition of the Internet of Things (IoT) you’ll get 10 slightly different answers. So for the sake of balance here’s an eleventh.

In my simplistic view, the IoT refers to those items that can be accessed over the internet but which you would not normally consider as being obvious candidates for internet access, nor indeed as being especially computerised. The examples often quoted are kettles, fridges, heating systems and lighting systems, but the list is literally endless.  Want to check on the charge left in your electric car, then look it up on your smart phone, want to record that television programme, then access your recorder from your office PC, want to turn on your oven, set it from the train on your way home. It was estimated that in 2014 there were 16 BILLION wirelessly connected devices and that by 2020 that number would exceed 40 billion.

So why am I writing about being able to turn your kettle on from your car in a security blog?

Let me take you back to those innocent days when the internet first entered the consciousness of the mainstream, when AOL sent you an endless stream of CDs, when you could either make a phone call OR use the internet and 56k was considered to be fast. Back then no-one really thought about security, no-one considered that bad guys might be able to do bad things over the internet and no-one cared.

Fast forward to 2015 and we are bombarded with stories about hackers, e-crime, government snooping and our personal details being on sale on Russian websites. We are encouraged to use strong passwords and to keep safe online (see my previous blogs) and many of us do take more care about using the internet.

Our world is much more connected, and we are more connected, whether over social media, in our dealings with our employers or our banks, or in our day to day lives, and into this maelstrom comes the Internet of Things.

The problem is that the vast majority of devices that make up the IoT have security settings that hark back to those early days. The chips they use are not designed from a security perspective, the security settings (if they even have them) are weak and easily guessed or broken. They are commodities, produced in the millions and designed to be thrown away, not upgraded or patched, if an issue is found, and these devices are connected to your home networks, to your business networks, to our hospitals and the critical national infrastructure.

In the vast majority of cases we have no idea what can be done with these things above and beyond their advertised use. The same chipsets appear across a range of devices with the settings needed for your kettle enabled, but other possible uses still sitting there in the background. Smart meters for your electricity and gas use come with all of the capabilities on the chips, not just the few that you have decided to pay for, and all of this capability is connected to the internet available to anyone who can find their IP address.

So why should you care? Well in order for you to access your kettle from your train, it has to be connected to the internet. How does it do that? Well it’s sitting in your house, plugged in and raring to go, wirelessly connected to your home network and waiting for you to call. To be on your home network it must be authorised and enabled, which means it has to know about your network and vice versa, which would be fine if it looked after those very sensitive details, but generally speaking it doesn’t. So you have a kettle that is holding the keys to your home network, exposed to the internet with pretty much zero security, and if you can see it, so can the other billions of people with internet access.

That means that with relative ease and a bit of readily available kit, those billions of people can access your home network and the devices sitting on it, such as your PC on whch you do your internet banking, and have a wander around to see what they can find.

That is why your remote access kettle finds its way into  a security blog.

So what can you do about it?

Well, to be butally honest very little. If you want to use these devices you have to accept that you have as much chance of improving the security as you have of changing how a vacuum cleaner works. You buy it as a commodity, you take what the manufacturer offers and you live with it. You can’t go in and change the default password on a kettle any more than you can change the spin cycle on your washing machine.

Obviously not all of these devices have the appalling levels of security that I’ve highighted in this posting and I’m sure that much like the progression from the early days of the internet to today things will improve. Security will start to be considered at the design stage and many of the more obvious errors we see know will be resolved, but as we know it’s a jungle out there and at the moment the consumer is at the bottom of the food chain.

There is nothing that can be done to slow the pace at which these devices are being introduced, and to be honest I for one don’t think anything should be. The IoT presents fantastic opportuniites many of which we are only beginning to realise, and can take us down paths we’d never considered possible, but like any technological revolution it comes with risks and we need to go on the journey with our eyes open.

If you choose to embrace the IoT then you are at the vanguard of a brave new world. We have no idea what it will look like and we have no idea where it will lead us but what we do know is that if there is an opportunity to make an illegal buck out of security weaknesses the bad guys will be queueing up to take full advantage.

And on that happy note I’m going to walk through to the kitchen to put my kettle on for a cup of tea.

As always I’d love to hear your thoughts on what I’ve written so please share your comments below.

Keeps safe and happy surfing





6 responses

7 06 2015
Adrian Wright

To be honest David the IoT sometimes appears to be a solution looking for problem. Having been to a few conferences on the subject it has become clear to me that even the experts don’t have a clear and consistent understanding of what it is or even what the ‘things’ in the IoT are.

The original concept was to integrate objects in the non-connected, non-virtual world by attaching or embedding interfaces termed ‘sensors’ to these animal/vegetable/mineral ‘things’, thus being able to represent these objects within the virtual space. So it’s surprising to still hear some experts referring to mobile devices as being the ‘things’ in IoT, when clearly these devices are already part of it.

The sector that has the most to gain and possessing the clearest view of IoT is in my opinion the medical sector. The ‘things’ in medical IoT are otherwise known as patients, and the profession is already highly experienced in attaching myriad sensors to them! In these days of hospital bed shortages this field has much to gain by being able to remotely monitor and manage patient treatments. However this area also carries by far the biggest risks – literally lives rather than just personal or credit card details. If we can get the security right in this area (and of course we must), then these lessons should allow us to apply the required protections anywhere else.

8 06 2015

Adrian. Thanks for taking the time to comment. What I’m finding as I look at this is that those who have a decent understanding of security are getting concerned and those who don’t are blissfully steaming ahead. Whilst it might not end in tears there will certainly be tears along the way.

9 06 2015
Adrian Wright

Indeed David. If you get an idle moment you might be bored enough to see my presentation on all things IoT security…

Like you blog handle btw 🙂

7 06 2015

Recently purchased a personal cloud hard disk and have been digging into its innards. Basically a standard hard disk with a special controller board holding its OS which looks like Unix. Added a few files and started looking at file permissions. Bit concerned at how these are auto assigned via its OS. One looks like a user which may be a developer. The interesting thing is that whilst I dabble in this area having been exposed to it security many who buy these products would have no idea and trust the manufacture to not expose them. One of the truths in security is that rogue employees are a high risk threat and their employer does not necessarily have rigorous controls which could prevent problems for the brand. I notice the product support forums appear coy about answering security enquiries.
Hang on a minute I’m retired this seems like work

12 06 2015

Nice article, but in the consumer space the security issue is quite overblown. It is more likely that a “hacker” will access your open or wpa encrypted wifi than access anything of relevance inside a home. The big issue is the lowly consumer bowing into everyone hijacking their data. Until the average consumer pushes back and someone puts together a all encompassing local gateway eliminating the need for all the services you pay to sell your data, we’ll be perpetually at the mercy of Jimmy Ray’s data collection service and it’s wonderful ancient des-56 encryption.

12 06 2015

John, thanks for that and it’s something I’ve partially touched on in one of my previous posts – how do we raise the level of security awareness of the average punter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: