The Internet of Things and security

7 06 2015

Like so much in the world of computing if you ask 5 people for a definition of the Internet of Things (IoT) you’ll get 10 slightly different answers. So for the sake of balance here’s an eleventh.

In my simplistic view, the IoT refers to those items that can be accessed over the internet but which you would not normally consider as being obvious candidates for internet access, nor indeed as being especially computerised. The examples often quoted are kettles, fridges, heating systems and lighting systems, but the list is literally endless.  Want to check on the charge left in your electric car, then look it up on your smart phone, want to record that television programme, then access your recorder from your office PC, want to turn on your oven, set it from the train on your way home. It was estimated that in 2014 there were 16 BILLION wirelessly connected devices and that by 2020 that number would exceed 40 billion.

So why am I writing about being able to turn your kettle on from your car in a security blog?

Let me take you back to those innocent days when the internet first entered the consciousness of the mainstream, when AOL sent you an endless stream of CDs, when you could either make a phone call OR use the internet and 56k was considered to be fast. Back then no-one really thought about security, no-one considered that bad guys might be able to do bad things over the internet and no-one cared.

Fast forward to 2015 and we are bombarded with stories about hackers, e-crime, government snooping and our personal details being on sale on Russian websites. We are encouraged to use strong passwords and to keep safe online (see my previous blogs) and many of us do take more care about using the internet.

Our world is much more connected, and we are more connected, whether over social media, in our dealings with our employers or our banks, or in our day to day lives, and into this maelstrom comes the Internet of Things.

The problem is that the vast majority of devices that make up the IoT have security settings that hark back to those early days. The chips they use are not designed from a security perspective, the security settings (if they even have them) are weak and easily guessed or broken. They are commodities, produced in the millions and designed to be thrown away, not upgraded or patched, if an issue is found, and these devices are connected to your home networks, to your business networks, to our hospitals and the critical national infrastructure.

In the vast majority of cases we have no idea what can be done with these things above and beyond their advertised use. The same chipsets appear across a range of devices with the settings needed for your kettle enabled, but other possible uses still sitting there in the background. Smart meters for your electricity and gas use come with all of the capabilities on the chips, not just the few that you have decided to pay for, and all of this capability is connected to the internet available to anyone who can find their IP address.

So why should you care? Well in order for you to access your kettle from your train, it has to be connected to the internet. How does it do that? Well it’s sitting in your house, plugged in and raring to go, wirelessly connected to your home network and waiting for you to call. To be on your home network it must be authorised and enabled, which means it has to know about your network and vice versa, which would be fine if it looked after those very sensitive details, but generally speaking it doesn’t. So you have a kettle that is holding the keys to your home network, exposed to the internet with pretty much zero security, and if you can see it, so can the other billions of people with internet access.

That means that with relative ease and a bit of readily available kit, those billions of people can access your home network and the devices sitting on it, such as your PC on whch you do your internet banking, and have a wander around to see what they can find.

That is why your remote access kettle finds its way into  a security blog.

So what can you do about it?

Well, to be butally honest very little. If you want to use these devices you have to accept that you have as much chance of improving the security as you have of changing how a vacuum cleaner works. You buy it as a commodity, you take what the manufacturer offers and you live with it. You can’t go in and change the default password on a kettle any more than you can change the spin cycle on your washing machine.

Obviously not all of these devices have the appalling levels of security that I’ve highighted in this posting and I’m sure that much like the progression from the early days of the internet to today things will improve. Security will start to be considered at the design stage and many of the more obvious errors we see know will be resolved, but as we know it’s a jungle out there and at the moment the consumer is at the bottom of the food chain.

There is nothing that can be done to slow the pace at which these devices are being introduced, and to be honest I for one don’t think anything should be. The IoT presents fantastic opportuniites many of which we are only beginning to realise, and can take us down paths we’d never considered possible, but like any technological revolution it comes with risks and we need to go on the journey with our eyes open.

If you choose to embrace the IoT then you are at the vanguard of a brave new world. We have no idea what it will look like and we have no idea where it will lead us but what we do know is that if there is an opportunity to make an illegal buck out of security weaknesses the bad guys will be queueing up to take full advantage.

And on that happy note I’m going to walk through to the kitchen to put my kettle on for a cup of tea.

As always I’d love to hear your thoughts on what I’ve written so please share your comments below.

Keeps safe and happy surfing



%d bloggers like this: