As the Internet of Things rapidly becomes mainstream, I often wonder whether or not security is a primary concern for the product designers and developers. Time to market is a priority, and “quick and dirty” development leads to technical debt and vulnerabilities in the code. In addition, design of a successful product is top of mind.
While this is certainly an important consideration, I worry that no one is looking out for consumers when it comes to security. Gartner predict that there will be more than 26 billion IoT devices by 2020. This niggling concern led me to research the topic and write this blog. As I dove into the subject, April 1st brought the announcement of the Amazon Dash button. Was this for a fool or for real? Either way, I hope the developers had security up there with the design and ease of use as a priority.
Like most people who work in the technology world, and this covers many different disciplines today, I could not resist deliberately introducing IoT into my life by purchasing and installing a couple of Nest thermostats in my home. As I live in the UK, this was not as easy as it should be, but that is a topic of discussion for a different time. As I was physically installing the Nest (and I say physically because we are so used to technology requiring hardly any physical intervention, apart from the odd USB cable), I had to discover how my central heating system had been wired 20 years ago, and literally hack into it by cutting, splicing and reconnecting cables.
This made me think about the technology embedded in the Nest, and about hacking into it. Working in the security industry, I could not help but start to think about how I could subvert its behavior and I started to sketch out the network architecture evolving in my home. To help me, I installed AlienVault and very quickly I had at my disposal an inventory of all the network assets in my home.
Would it surprise you to know that I found more than thirty assets? As far as I knew we only have a handful of laptops, so where are these thirty network assets and more importantly what are they doing and who are they chatting with? I discovered I had two unidentified Linux devices, and after some investigation, they turned out to be the two Nest thermostats that I had just installed.
As I thought more about the rapid evolution of the Internet of Things, it concerned me that there is a wave of highly sophisticated technology being unleashed on an unsuspecting public, without adequate concern or planning for the security consequences. I see washing machines now that include an Internet connection and I even found a toaster!
If you saw the brilliant Bourne Supremacy film (watch it here), you may remember the scene when Jason Bourne puts a phone directory in the toaster, turns on the gas and quickly leaves the building. Imagine how much easier it would have been if he had been able to hack into the smart meter, gas oven and toaster, all connected to his iPhone? Would this be possible, either by design or by accident? This is a great article that wonders whether or not a connected toaster may over time develop feelings.
Stephen Hawking warns that AI could spell the end of mankind, and it is only a matter of time before Hollywood produces a blockbuster depicting our worst nightmare. More than 100,000 Nests are being sold per month. Could this be one of the largest potential botnets in existence today?
This past weekend the UK switched to summer time, and the evening before I idly wondered whether or not the Nest thermostats would correctly change the time, given that they have access to the Internet. When I woke the next day up I was surprised to find the heating on at the wrong time, despite the correct time being displayed on the Nest. I quickly surmised that there must be a bug in the scheduling software, and not surprisingly there are many online references now to the issue. You can read all about it here.
Yet several days later Nest had not yet issued a patch. As a conscientious energy user, I find this to be a problem, and some people quickly discovered that by changing their location to somewhere in Europe (Belgium seemed to be a popular choice), normal service has been resumed. But if a simple scheduling conflict was overlooked, what does that say for security?
Security researchers from the University of Central Florida have already shown how a Nest can be compromised, and this presentation given at Black Hat 2014 is worth reading. Surprisingly there are a number of basic security concerns highlighted, including the use of HTTP for downloading updates to the Nest and there is a nice video here. No doubt Nest are hard at work resolving these security concerns.
So where does this leave us? As with most security matters, we now know that protection alone is not sufficient and that monitoring must become the cornerstone of any security strategy. This is even more poignant with respect to the deployment of the Internet of Things, because the users will be us and our friends and family. We will be reliant on, and to some extent at the mercy of, the companies selling us the Things. Nest is a good example, but who knows how long it will be before it’s a lorry full of soap powder delivered to your doorstep?