The Internet of Dumb Things
The Internet of Things, along with being one of most profoundly stupid phrases of all time, is also profoundly broken from a security perspective. Your dishwasher and your car are probably several firmware versions out of date, and your light bulbs are likely communicating with your smart home hub over a cleartext connection. It’s ugly out there.
How ugly is it? Glad you asked. It’s so ugly that even the federal government has taken notice. Think about that for a second. This is the same government that developed the forerunner of the Internet, used it for a while, kicked it out into the world, and then largely ignored it for the next two decades. Now that the entire world economy basically depends on the network operating as designed, the United States government is quite interested in what’s happening on it, especially when it comes to security. Recently, that interest has begun to extend to embedded device security, otherwise known as IoT security.
The Federal Trade Commission recently sent comments to the Department of Commerce’s National Telecommunications and Information Administration about the state of security and privacy in IoT devices. The state of that union is... not strong. The commission staff cited a number of serious concerns about the way that vendors are building embedded devices and the scant attention that many of them are paying to security or privacy. One of the major problems the FTC raised in its comments is the frequency, or lack thereof, with which vendors deliver security updates to their devices.
“Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices,” the FTC said in its comments.
This is a familiar problem for anyone who owns an Android phone. Android users are at the mercy of carriers for security updates, and carriers are usually more interested in having customers buy another phone rather than update their existing ones. That model is extending to IoT devices, as well, to the detriment of users’ security. Many of these devices are built quickly and cheaply and much of the software in them wasn’t designed with any kind of software security process in place. The emphasis is on getting the device out the door and into the hands of consumers and then moving on to the next one.
The privacy concerns associated with IoT devices are just as serious, if not as well-publicized or well-understood. These devices are designed to collect data about their users and send it back to the vendors, who then analyze and digest the data for insights into user behavior. The FTC recently did an analysis of IoT devices and found a slew of third-party apps connected to the devices.
“As this analysis demonstrates, IoT devices are capable of collecting, transmitting, and sharing highly sensitive information about consumers’ bodies and habits. These privacy implications may increase if consumers’ health routines, dietary habits, and medical searches are combined with offline sources and across devices.”
Users often have no idea what these devices are collecting and sharing about them, or how that data is being used by the vendors or their partners. This has been the default data-collection and monetization model of the actual Internet forever, and it was only natural that it would be extended to the IoT, too. It’s taken many years for the security and privacy communities to get vendors on the right track with software security programs and taking privacy into account with data collection, and we are well down that same path for connected devices already. It’s not too late to fix it yet, but the sun is beginning to set.