You pour a glass of wine and sit down to binge watch Netflix’s creepy stalker-drama You. You glance over your shoulder, sure someone is there. There’s no one, just your iRobot waiting to spring into action and make all your chip crumbs disappear. You pull out your smartphone, open the iRobot app and press clean. You hear the familiar beep and whir.
You turn back to the show. Penn Badgley’s brooding character has strategically placed himself on a dark street corner, hood up, spying on his dream girl. That cold, cringy feeling climbs up your neck leaving a trace of goosebumps in its wake. Your eyes dart left, then right. You set your wine glass down on the end table, beside your Echo and sit up, alert.
“Alexa, are the doors locked?”
“Yes, both the front and back doors are locked.”
“Alexa, lower the window shades.”
“Window shades are lowering.”
Locked and hidden away inside you feel safe. You relax, or at least attempt too. It must be the show. You just can’t shake the paranoia that someone is there, watching you.
The iRobot stops in front of you, snagged on the corner of your area rug. A miniature version of your face reflects in its lens.
You ask Alexa because you find it amusing to ask it random questions to see what the answer will be, “Alexa, is anyone watching me?”
“We all are,” Alexa responds.
The Internet of Things (IoT) is keeping your home connected both in and outside of its walls, twenty-four hours a day. It’s easy to think that you are safe when you’re locked inside your home. But the more devices you have connected to the IoT, the more susceptible you are. You don’t want to get lulled into a false sense of security. It’s important to know that if you have a house full of IoT devices, then your home is hackable.
What’s an Internet of Things?
“The IoT is an extension of the Internet into the physical world.”[i] It is the fusion between products and communications technology. An IoT device, or smart thing, is a piece of hardware that allows an entity (like a human, car, appliance, or animal) to be a connected part of the digital world. This smart thing can be a healthcare device (like a pacemaker), a home appliance (your iRobot vacuum), a vehicle (like the Tesla that self-drives past you every day on your way to work), or an entire building (check out the Amazon distribution centre). It’s almost any device that is hooked up to a network and can provide information about the physical environment around it via sensors. These devices can speak to each other and can talk to ICT systems using a wireless computer or cellular network to communicate. But just like your laptop that’s connected to the internet, those networked smart things can be hacked.
IoT’s a little dangerous
The IoT is like the bad boy you were drawn to in high school. It’s alluring, but it’s a bit dangerous. IoT devices promise to make life easier. Your whole home can be controlled from an app on your phone. You can clean the floors, see who is at the door, lock up, and cool down, all from the comfort of your couch. But under all that shiny, new, inter-connected awesomeness there’s a dark side, and vulnerability.
In this case, “vulnerabilities are weaknesses in your system or its design that allow an intruder to execute commands, access unauthorized data, and/or conduct denial-of-service attacks.”[ii] Vulnerabilities can be weaknesses in software or hardware, in the policies that coincide with the usage or governance of the technology, or with the user. Another problem, IoT devices are often left alone or exposed. You don’t hire a babysitter for Alexa when you go out. So, that makes smart devices easier targets for threats, whether structured or unstructured.
An unstructured threat is usually conducted by a lesser experienced individual who uses hacking tools that are readily available online. A structured threat is when an individual knows the system and can exploit the devices’ vulnerabilities. It’s someone who knows what they are doing. Smart things can be targeted with malware, making them vulnerable to attack. These attacks can be physical, (like someone manipulates the actual hardware components), or access attacks, (where someone who shouldn’t, gains access to your device or to your network).
The IoT is increasingly challenged by attacks on privacy because of the massive amounts of data and information available through remote access devices. Vast amounts of data mean large targets for data theft. Privacy breaches in the IoT sound like the stuff of spy movies…
Cyber espionage: The use of malicious software and cracking techniques to get juicy dirt on people, businesses, or the government.
Eavesdropping: Just like it sounds, using the IoT to listen in on conversations.
Tracking: Following a user’s movements and identifying locations where the user may have wanted to stay anonymous.
Data Mining: Getting the goods, even when the goods shouldn’t have been able to be gotten. Or digging really deep into databases to get information that wasn’t anticipated to have been there.
Sure, that happens, but I’m safe
Your home is a well-armed fortress. You have security features on your computer and phone, so you’re probably safe, right? There is no such thing “as the secure state of any object, tangible or not, because no such object can ever be in a perfectly secure state and still be useful.”[iii]
That’s pretty scary if you really think about it, a security nightmare in fact. If the IoT is connecting everything from kid’s toys to your home security system, your heating and cooling systems to your lights, then you need to think about how much control you are handing over to hackable technology. For example, implanted smart pacemakers take readings and transmit them to doctors, but they can also take directives from remote sources. That life-saving technology is also a vulnerability. Your smart home makes life more comfortable, but if someone wanted to take control of your security system and electric door locks the potential is there, and they would know whether you were home or not based on readings from your lights, your thermostat, and your appliances. If someone wanted too, they could glean a lot of personal information just from your daily routine, not to mention the information vulnerable to data theft. If you think about the smart things that most affect our lives, in a physical manner – the pacemakers, or cars, for example – the security risks go beyond data breaches and theft, to loss of property and the potential loss of life.
But this stuff is regulated, right?
It’s not regulated as much as you’d hope for. California is leading the way in North America, but the law (SB 327) won’t be in effect until January of 2020, and even then, it is vague and problematic with its demand that all “connected devices” have a “reasonable security feature.”[iv] What is reasonable, anyway? And that is only in California, what about the IoT in the rest of the world? The problem is, according to Richard Soley, Executive Director of the Industrial Internet Consortium, that “technology doesn’t respect borders.”[v] There need to be measures put in place globally to secure the IoT. The cybersecurity of the IoT has ramifications beyond the personal use of smart things. Smart homes are turning into smart cities, and the IoT is becoming integral to agriculture, manufacturing, energy, and finances. IoT is an ever-evolving, booming industry. The real-time data analysis and cybersecurity industry is ever-evolving alongside it and is expected to grow to $6.75 billion in profits by 2023.[vi] Corporations and governments are starting to seek out solutions to make the IoT as secure as possible.
Haiyan Song, Senior VP and GM of Security Markets for Splunk, said, concerning security and the IoT, that the “weakest link is us, humans.”[vii] That’s where most attacks begin, with phishing schemes and unattended devices. New technology always opens up new attack surfaces. You need to be smart in protecting your smart things, and keep your fortress locked down.
Are the objects in your home talking behind your back? Is Siri listening in? Perhaps not, but maybe it’s best you stay just a little paranoid.