The Internet of Things promises many wonderful benefits but the lack of security focus guarantees there will be severe detriments. A column in the New York Times inadvertently explains how dire some of these detriments could be:
WASHINGTON — For more than two years the F.B.I. and intelligence agencies have warned that encrypted communications are creating a “going dark” crisis that will keep them from tracking terrorists and kidnappers.
Now, a study in which current and former intelligence officials participated concludes that the warning is wildly overblown, and that a raft of new technologies — like television sets with microphones and web-connected cars — are creating ample opportunities for the government to track suspects, many of them worrying.
“ ‘Going dark’ does not aptly describe the long-term landscape for government surveillance,” concludes the study, to be published Monday by the Berkman Center for Internet and Society at Harvard.
The study argues that the phrase ignores the flood of new technologies “being packed with sensors and wireless connectivity” that are expected to become the subject of court orders and subpoenas, and are already the target of the National Security Agency as it places “implants” into networks around the world to monitor communications abroad.
The products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and in many cases reconstruct communications and meetings.
Encryption is only part of the electronic security puzzle. Even if your devices are properly implementing encryption to secure the data they store, transmit, or receive they may not be properly enforcing credentials. Authorized users are expected to be able to gain access to plaintext data so bypassing the security offered by encryption can be done by gaining access to an authorized user account.
Let’s consider the Amazon Echo. The Echo relies heavily on voice commands, which means it has a built-in microphone that’s always listening. Even if the data it transmits to and receives from Amazon is properly encrypted an unauthorized user who gains access to the device as an authorized user could use the microphone to record conversations. In this case cryptography hasn’t failed, the device is merely providing expected access.
Internet of Things devices, due to the lack of security focus, often fail to enforce authorization. Some devices require no authorized at all, have vulnerabilities that allow an unauthorized user to gain access to an authorized user’s account, include built-in backdoor administrative accounts with hardcoded passwords, etc. That gives the State potential access to a great deal of sensors in a targeted person’s household.
I’m not against the idea behind the Internet of Things per se. But I’m wary of such devices at the moment because the manufacturers are, in my opinion, being sloppy with security. In time I’m sure the hard lessons will be learned just as they were learned by operating system developers in the past. When that finally happens and I can be reasonably assured the security of my smart television isn’t nonexistent I may becoming more willing to buy such products.