In-brief: Ross Anderson of Cambridge University discusses the privacy and security risks of The Internet of Things at the Virus Bulletin Conference. Problems we already confront – such as ATM and mobile device security – may presage more widespread attacks on the IoT.
Security and privacy are the center of the debate about the Internet of Things. As this blog has explored: connected “things” have proven themselves no more secure – and often much less secure – than the (insecure) laptop and desktop computers of an earlier generation.
Even more troubling: the intersection of Internet connected, sensor rich devices create all manner of new opportunities for both good and ill. In just one example: connected vehicles that can interact with the roads, bridges or toll booths they travel through can help municipalities get a better handle on traffic patterns, capture toll revenue and target their spending and investment on infrastructure that matters. That same data, however, can also be used to track vehicles and their passengers passively: a massive expansion of governments’ surveillance powers.
Or, with the holiday season approaching, consider the new “Hello” Barbie doll, who is designed to interact with your child. According to this report in The New York Times, Hello Barbie was equipped with a link to the cloud and microphones to capture voice commands – commands which are then sent to cloud based servers of a firm, ToyTalk, where they are transcribed, correct responses generated and answers returned. Of course, Barbie will also observe other ambient sounds in her environment creating the potential for as-yet unknown privacy violations. Is Barbie even secure, or might she be a vector for future attacks that we haven’t even considered?
That kind of thing has attracted the attention of some really smart folks. One of those is Ross Anderson, who is professor of security engineering at the University of Cambridge. Ross writes for the (great) blog Light Blue Touch Paper. He just posted a link to this talk, which he gave at the Virus Bulletin Conference, about the myriad of security risks that the Internet of Things presents.
“In the future, if you want to wiretap John Gotti Jr. maybe you get a warrant to wiretap his kids doll,” Ross posited. “Is this within the scope of what people accept socially?”
It’s an interesting talk – Ross spends a good part of his discussion looking at some of the vulnerability and attack types that we can already observe, and which might take on a new urgency with billions of connected devices. He also promotes the Cambridge Cloud Cybercrime Center, a private-public partnership which is looking to gather and centralize large amounts of data from a range of malicious activity – malware, spam, phishing attacks, etc. – that is needed to do original cyber crime research.
“We want to invent the forensics of the future,” Anderson said.
Check it out!