There has been a lot of talk last couple of years about the Internet of Things (IoT). IoT is basically the concept that household and personal appliances, including vehicles, will all be connected and have Internet access to provide a rich set of services. You can do things like remotely adjust your thermostat, such as NEST, or turn on your oven from work; or, if you decide to adjust your toaster to make your toast darker while you are brushing your teeth—there’ll be an app for that.
Last year, I participated on a panel for the SANS Securing the IoT conference. There, we talked about remotely controlled light bulbs that change color (and how to hack it), smart outlets that can be switched off or on from you mobile phone (and how to hack it), and the larger utility industry who is putting smart meters on homes to monitor and manage electricity and gas, among other things (and how to protect it).
My perspective was about privacy, and how someone could glean a lot of information about a person by just accessing information from these devices. Are the lights on in their home? Are they using a lot of electricity? If so, can I determine what expensive electronics might be in the home? This is data that could support a physical theft or personal attack. If I’m in my car waiting at a light, I don’t want someone to connect and pull my address book or destination history. But it goes further, as we are now extending this to “Wearables” health-monitoring devices that track our heart rate, steps, calories, etc. These are also controlled by mobile apps, and the data there crosses over into “personal” realm, some of which you want protected. This could include your running route, which indicates you are not home; or scarier, going to be passing through an isolated part of the trail in the woods at a certain time.
The collection and access to more data is good and bad, it gives us conveniences to make decisions or better understand things (like state of health or fitness), but it also provides insight for malicious use. We need to be cautious of these perspectives when implementing these capabilities in our home or for personal use, as well as in the business. If I’m managing personal mobile devices of employees, I don’t want access to this health information. And finally, I don’t want someone to know I’m not home from over the Internet, and then turn off my AC in the middle of the night during the summer. Or the go the other way, and crank up the AC the week I’m on vacation and cost me a lot of money. So, let’s design security at the beginning, test to see what’s vulnerable, and let’s be transparent about the kind of information being stored so users can manage the risk of its unauthorized access, and provide controls to protect that information for them. This is one area will “building security in” is critical.
– Rick Doten, DMI Chief Information Security Officer (CISO)