I came across an interesting post over on Wearable World News today titled “The Danger of Smart Spam In the Internet of Things.” The article, by Jessica Groopman, ran yesterday and provides a kind of conceptual overview of the security and IoT space.
I think Goodman gets it mostly right: she talks about the proliferation of device types and platforms that will (or already does) characterize the Internet of Things. With hundreds of billions (compared with hundreds of millions) of Internet connected endpoints, cyber criminals, hacktivists and other bad actors have an even greater ability to create armies of compromised endpoints and harness their collective power in attacks.
Goodman also gets it right when she notes that many “smart” devices run commodity operating systems like Linux and don’t require lots of special effort to reverse engineer. Finally, IoT devices frequently are low power and embedded systems that lack the processing power to run the large and resource-intensive security suites that are common on most enterprise endpoints.
But Goodman’s news “hook” (to use a term of art) is that now famous Proofpoint report that claimed to document spam sent from a smart refrigerator. As this blog noted at the time, it’s important to recognize that this news came by way of a press release and that such reports are a not very subtle form of marketing for the firms with a product or service to sell. In Proofpoint’s case, warnings about a massive IoT botnet are an argument for its cloud based threat protection services, which include anti malware and anti spam.
As I noted at the time, botnets comprised of non-PC devices aren’t exactly news either. As far back as 2008, security researchers were warning that hardware like home broadband routers were washing up in massive, global botnet. Just this week, we had more evidence of just such a creation: a 300,000 strong botnet made up of compromised home and small office (SOHO) routers.
So what’s news and where does the problem (and responsibility for fixing it) lie? Goodman admits that “the answer to this question is not clear. Like with other emerging technologies, until the industry does a better job of building in hardware and software security features, the end user will continue bear the burden of vulnerable devices.”
The IoT, she says, “requires smarter security standards,” she says, which seems to mean more secure development and a greater awareness by manufacturers of how products might be abused (as with spam) and attacked.
But I wonder whether that’s even the most salient threat from IoT devices. In other words: just because spam or viruses have been a big problem for the last 15 years, doesn’t mean that those problems are going to migrate across the land bridge from the Internet of Computers to the Internet of Things.
The bigger issue may be the way that IoT devices and gadgets that control our environment and mediate our experiences will soon come to hold something that approximates a digital record of our conscious lives. When those devices are compromised (or just lost ) we find ourselves far more exposed than simply losing a wallet or a mobile phone. Boonsri Dickson’s account of how she lost her Google Glass and had it returned to her is actually a good read on this count. The nice young man who found her Glass on the streets of New York could tell from the photos and video she had stored on it where she went to school. A more savvy user may well have been able to determine a lot else – by accessing the data in her e-mail account or using EXIF data from her photos to map her movements around town.
The ability of malicious actors – or even well-intended governments- to access and use the data collected passively or actively by the IoT devices and to concoct a relatively accurate picture of “us” is likely to become the security and privacy pain point for many of us. How we address that problem is another question entirely.