Security risks for IoT
Imagine a malevolent botnet that compromised thousands of common household devices. The botnet used the devices to attack and take down a large part of the internet. Security cameras, nanny-cams, personal video recorders and home routers – all kinds of devices were part of the attack. Scary, huh?
Well, you don't have to imagine this scenario. It actually that happened in 2017, emphasising that security is a key part of any conversation about the Internet of Things (IoT).
In some ways, IoT security mirrors our experience with the internet itself. We'd have designed email differently back in the day if we'd thought about spam, for example. But have we learned any lessons a bit quicker this time around, as billions of new things light up around us?
Well, hopefully. That's from independent security consultant Erica Anderson and Head of Spark Security Josh Bahlman.
"People aren't thinking about that risk when they're developing the outcomes for IoT," says Josh. "They're trying to solve a problem or make something easier for people to do. So it's about getting fast to market and putting some cool features on. They don't think, how do you secure this device? Is this going to impact someone's life if something happens to this device? Or what could this device do on the broader internet?"
But as IoT solutions become more common, are we catching up?
Josh says, "Reputable vendors are thinking about it, but now you're getting a lot of cheap devices produced, and a lot of cheap manufacturing places around the world. They need to get the stuff out to market as fast as possible to make money. They're not really thinking about, 'Do you need the capability of patching it or should it be patched?' It's not really something that they're really thinking about in the low end of the market. And that's where the mass amount of these IoT devices is coming from."
The risk/benefit trade-off
Erica says it's the same any time we trust technology so we can benefit from it.
"For example," she says, "when you're using an online shop, you're putting all of your sensitive personal information into a website in order to buy goods online. It's really kind of the same concept when it comes down to being able to turn on your heat pump when you're driving home.
So it's kind of trading that data for that convenience. But it all comes down to the same critical security controls, just like a website. The technology that drives the internet component of your heat pump needs to be patched."
The internet-connected heat pump isn't just a theoretical issue for Erica. She admits she recently decided not to buy such a device over security concerns.
"I was at one of those home idea centre workshops and listening to a seminar about heating and cooling, and the salesperson, they're going on and on about how, 'Oh, you can turn on your heat pump while you're in your car headed home.' And I was sitting in the audience and just googling the name and security vulnerabilities and I was like, 'Ooh, there's actually quite a long list'."
She says the best way for anyone to assess whether a manufacturer is taking security seriously is to do what she did.
"Just google the name and 'security' and see what comes up. It doesn't mean you have to troll through code and look at technical diagrammes."
Josh has an even more alarming story.
"A friend of mine bought a new gas heater for his house and he had the option of connecting it to his WiFi, so he did. And then he had a look at the box and found out that there was an admin portal. So, he logged onto it with default credentials and then he had a little look around the code and realised that he could turn all of the heating right up and then shut down all the valves which would essentially overheat the thing in a few ... I don't know how long, but really causes some issues.
"And so he contacted the vendor and said, 'Hey, there's some issues with your software that you're running on these heaters when you connect them to the WiFi. You might want to think about these things and may want to go away and fix.'And the response was something that we've heard for decades, which is, 'Oh, no one would ever do that.' That's not something that's actually in their thought process."
"There's definitely only good people on the Internet. I promise you," quips Erica.
Paying mind to security doesn't mean going off-grid, she emphasises.
"I have certain things in my life that I want the convenience of. I have a Google Home in my kitchen, and I use it to set kitchen timers because I'm lazy. But at the same time, I know that there is essentially a microphone in my kitchen, so perhaps I'm not taking client calls there. It all comes down to what you're comfortable with: do I want this information out on the internet for anyone to access? And do I want this as a tool for someone else to beat someone else up with?"
The duty to protect consumer privacy
Security specialists are, of course, professional paranoids. But Josh has the extra duty of being Chief Professional Paranoid at New Zealand's largest network company. And he believes there's a duty on Spark to help.
"It's like a 'telco good citizenship' thing that I think we do feel responsible for, as well as trying to protect our customers' privacy if they are going to go and buy these things. Because we can't stop them, in reality. So we need to help them protect themselves."
At the other end of things, there's building security into the network.
"We're architecting our 5G network and what that means is we have a few ways to break up [bot] networks – stop them getting access via the internet. There’re a few ideas that we're kicking around. And one, in fact, over lunch today was around how we can use network slicing to isolate untrusted IoT vs. trusted IoT. So we can actually protect the rest of the internet and our customers from getting attacked."
He believes the pressure is now going on manufacturers – not least from government – to raise their security game.
"There is pressure there for these products to actually be reasonably good. So, you know, I've got faith in people that it will come right and that we will be able to sort of at least do the right things to protect – from a telco view, from Spark – to protect our customers. And you know if they're gonna go buy cheap, shoddy stuff, we'll try and work out how we can protect them the best we can."
Both Josh and Erica agree that not all devices present the same risk. For example, a soil moisture sensor on a farm is not the same as a smart speaker in a home. Josh and Erica also agree that risks and benefits are relative.
Do they have anything reassuring to add?
"That," says Josh, when they've both finished laughing, "is not our job."