The Internet of Things - IoT

You've almost certainly heard the term "Internet of Things" within the past year or two. It's the biggest new thing right now.

So what exactly does this mean?

Broadly speaking, it means that many of the everyday things we use in our lives are designed with internet connectivity. These are everyday appliances and devices that traditionally had no smarts and certainly no way to communicate beyond their self-contained functions.

An early example of an IoT device is the Nest thermostat -- a learning thermostat that anticipates your climate needs and can be controlled in a number of ways via the internet.

Today there's far more IoT devices available. Literally anything that has a human interface -- that can be controlled or monitored -- is a candidate to become an internet-connected appliance.

Residential examples include HVAC monitoring and control, refrigerators, washers/dryers, door locks, security systems of various types including cameras, TV, light switches, fitness trackers, baby monitors, reminder systems, help buttons (often used by elderly), etc.

Industrial examples include transportation systems such as traffic monitoring, signal control, programmable roadway signs (that display things like "don't text and drive", AMBER alerts, etc.), weather monitoring, infrastructure control such as electric grid management, and many others.

A Little History -- Predecessor Methods

For years now remote industrial applications were monitored and controlled via SCADA (Pron. SKAY-duh -- Supervisory Control And Data Acquisition) systems. Such industrial systems include interstate gas pipelines, the electrical grid, rail roads (monitoring trains and lines, controlling signals, actuating railway switches), airports, office towers, the list goes on.

These industrial applications often incorporate thousands of sensors and control points generating millions of data points and may be geographically spread far and wide. A method of remote monitoring and control was required. Methods and protocols developed under the umbrella term SCADA was the answer to this need.

SCADA is the functional predecessor to today's internet of things, but with (at least) two big differences:

  1. Scalability: SCADA was designed for industrial applications only. The internet of things model is scalable from large industrial applications that SCADA traditionally served down to individual, personal devices.

  2. Communication: Traditional SCADA systems back in the day communicated via dedicated lines, not the internet. The IoT, by definition, communicates via the internet. And that is also a huge source of concern and the impetus for me to write this article.


Neighbors Unlocking your Front Door?

As with damn near everything on the internet, manufacturers of IoT devices rarely pay any mind to security concerns. They want their gadgets to be cheap, easy to set up, and work seamlessly. They aren't too interested in complicating things by imposing too much inconvenient and pesky security. As a result, many IoT devices have weak or no security, weak or no encryption, default passwords, easily defeated access methods, and are more vulnerable to attack from outside bad actors.

Just do a google search on "internet of things security issues" (without the quotes) and you'll see many millions of search results. It's a big and growing problem.

There are actually websites that specialize in cataloging people's insecure IoT devices such as residential camera systems used as baby monitors and for security! Imagine someone remotely watching your child sleep, monitoring and disabling your home security system, or unlocking your front door if you have an IoT door lock. All this is possible and has been demonstrated.

Invasion of the Body Snatchers

Improperly secured IoT devices all over the world are being hijacked by the hundreds of thousands (probably millions) into robotic armies called a "botnet". If your IoT gadget (be it a camera, video door bell, thermostat, whatever) were hijacked, it would likely still work as intended but it would also be listening for orders from one or more C&C (Command and Control) servers, run by a "bot master" -- a criminal enterprise. The bot masters aren't interested in attacking you -- they want to use your IoT gadget, along with many others, to attack whoever for whatever reason.

In Sep 2016, the website of security researcher and journalist Brian Krebs (KrebsOnSecurity.com) was attacked by a massive DDoS* disruption that slammed his site with millions of bogus web requests that knocked him offline. Several hundred thousand devices were all hammering his site simultaneously. What were these devices? Cloud-enabled cameras, home routers, and countless other crappy insecure "Internet of Things" devices that people buy and don't know how to properly secure.

There are moves afoot to draft legislation to mandate security standards for IoT devices but, as usual, clueless lawmakers are dreadfully outpaced by product development. It remains a totally unregulated marketplace where any cheap insecure product can be sold.

* DDoS stands for Distributed Denial of Service. It's a type of attack where many thousands (or millions) of computers or devices all simultaneously and repeatedly try to connect to the same web site. The flood of incoming requests can temporarily overwhelm and disable a web site. DDoS attacks are carried out for any number of reasons: Political disagreement, extortion, to be disruptive, or simply "for the lulz".

The Cute and Cuddly Spies Masquerading as Toys

IoT tech is making its way into children's toys. Manufacturers are now making interactive toys using cloud-based backend servers to give the toy its "smarts". Just as the power and knowledge of Siri resides not on an iPhone itself, but on servers in an Apple datacenter, so to do these new breed of interactive toys get their "intelligence" from cloud-based servers. In this case, however, belonging to third-party companies (usually foreign, outside the reach of US law) that don't give a hoot about security or privacy.

Your kid's cloud-enabled toys could well be recording every word it hears and sending that to a data center. The value of that collected data is huge. By parsing every word these toys hear, the toy can respond intelligently. But it doesn't end there. That data is mined for all kinds of valuable information that is sold to anyone willing to buy.

Think for a moment all the conversations you might have in your home that can be picked up by these toys. Discussing a major purchase, a legal problem, medical issues, marital problems, and more. And that's just the parents having grown-up conversations. Kids will parrot anything they hear. A young child lacks judgement and discretion and might confide in his/her intelligent and responsive toy about mommy and daddy's constant fighting or anything else.

And don't think it's anonymous, either. Most IoT toys require a sign-up (even if free) of some sort, almost certainly using your email address. Everything that toy hears is associated to you, specifically. Use a throw-away email address? Not good enough. That toy can scan your network, logging the MAC addresses* of all other devices it sees and your public IP address as well. And under the right circumstances, the MAC addresses can be used to fingerprint you across the internet. The IoT toy maker then may package up the MAC addresses coupled with interesting marketing info it collected by transcribing what the toy heard and selling it to big data. This is absolutely possible and almost certainly happening. No manufacturer would leave that money behind.

* What is a MAC address? Every internet-capable device has a unique MAC (Media Access Control) address hardwired into the device and it never changes for the life of the device. While the purpose of the MAC address isn't to track you, it can be abused in that way.

A Real Necessity?

Some connected devices -- like the Nest thermostat with its innovative energy-saving features -- lend themselves to internet connectivity and can be useful. But it must be set up correctly and securely!

But many manufacturers today are adding internet connectivity to mundane devices simply to differentiate them from their competitors. Who the hell needs a internet-connected refrigerator or coffee maker? Yet both of these things exist.

I'd steer clear of most IoT devices until the manufacturers can get behind a coherent and unified privacy and security strategy to keep their systems safe, secure, and private. We already expose ourselves too much in the name of convenience and interconnectedness. At the very least, consider only those devices that offer a true and useful benefit. And if you don't understand how to make sure it's properly secured, call someone who does.

Do you really need to unlock your front door using your phone?