A Blog by Jonathan Low


Jan 11, 2015

Time to Change the Password on the Fridge: Is the Smart Home a Security and Privacy Threat?

Is it apostasy to ask whether connecting the fridge to the smartphone is really necessary, let alone a brilliant innovation? Given all the information we are processing every day, do regular updates from the lettuce bin qualify as a priority?

There is breathless hype around the internet of things and the amazing advances we are going to enjoy by being able to manage everything from our phones. The question this raises is why anyone will care enough to pay a premium for the product as well as, potentially, paying more in terms of energy and phone or cable bills.

The even more troubling issue is whether this is creating a security vulnerability that puts those homes, cars, bank accounts and other assets at greater risk by connecting a bunch of devices and networks with varying degrees of sophistication and quality, especially with regards to the degree their manufacturers and marketers have even thought about security, let alone done something useful about it.

The challenge this poses for those who hope to profit from the enhancement of these devices is that consumers are already skeptical about their privacy and the security of their data. Breeches at supposedly tech savvy corporations with the money and incentive to protect themselves demonstrate how laughably easy it is to crack these safeguards. Credit cards are one thing: cars, pacemakers and homes are quite another. JL

Molly Wood reports in the New York Times:

The more connected our technology becomes, the more data our devices and appliances can gather about us. That data can be shared in ways we don’t anticipate.The risks intensify as we adopt more devices linked to our physical safety, such as cars, medical care and homes.
While manufacturers painted a rosy picture of connected grills, coffee makers, refrigerators and door locks, security experts and regulators warned that the Internet of Things could be a threat to both security and privacy.
Hackers have already breached Internet-connected camera systems, smart TVs and even baby monitors. In one case, someone hacked a networked camera setup and used it to scream obscenities into a baby nursery.
Connected-home security threats, at least so far, have not usually been about a hacker trying to break into your home or using your data. Criminals aim mostly at giant databases of personal information or credit cards that they can sell on the black market.
Even so, the more connected our technology becomes, the more data our devices and appliances can gather about us. That data can be shared in ways we don’t anticipate or can be revealed as part of larger breaches.In a speech at International CES, Edith Ramirez, chairwoman of the Federal Trade Commission, said the trend toward having so many things constantly connected to the Internet presented serious risks that start-ups and big companies needed to take seriously.
“Any device that is connected to the Internet is at risk of being hijacked,” she said in her prepared remarks. “Moreover, the risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes.”
The concerns, Ms. Ramirez and security experts say, include widespread collection of personal information with or without consumers’ knowledge, misuse of that information and actual stealing of the data.
And perhaps because connected devices are relatively new, there are few security features built into many of them or the apps and services that power them. Even fewer products exist to lock down your smart home.
One noteworthy product, though — perhaps the sort of device we will see more of soon — was introduced at International CES. It comes from Bitdefender, which makes antivirus and anti-malware software for computers, and is called the Bitdefender Box. The box is a physical device that plugs into your Internet router and constantly scans your network and the websites you visit for potentially harmful software or viruses.
“The whole idea is not to let it inside your network,” said Bogdan Botezatu, the company’s senior threat analyst
“When you’re opening a malicious page, before the page is downloaded, it is intercepted in the box, flags are sensed in the cloud and it doesn’t show up in the first place,” he said.
One common security problem, for example, is that a person visits a website that has malicious code embedded in it. You don’t have to click anything for the code to run, and after it does it can deliver a virus that can co-opt your computer and put it to work as part of a botnet. A botnet is a giant network of computers linked together to break codes or passwords or initiate distributed denial-of-service attacks that can take down entire sites.
When less traditional devices like smart TVs or refrigerators are connected, they can become part of botnets as well, Mr. Botezatu said.
“It doesn’t quite matter to the hacker how much processing power or what task those smart devices can accomplish,” he said. If they can reach a website — and most can, because they connect to their own websites — they can be used.
“Getting something knocked off the Internet is still worth a lot of money, and the Internet of Things is a powerful tool for doing that,” he said.
The Bitdefender Box is expected to be released this month for $199 and will include a year of service. After the first year, the service is $99 a year. The box includes other features that can help its users control devices on their home networks. It can give extra Internet bandwidth to certain computers for Skype calls, for example. And if you have one installed, you can connect to it when you’re not at home over a secure, private network.
But as with most antivirus and anti-malware products, the box can scan for and detect only code that has already been identified as a threat. Something new could still sneak through.
And the box can’t do anything about the personal data harvested by all the various apps that control smart devices in the home or outside of it.
For example, at International CES this week, Ford announced plans to collect information about driving habits of company volunteers in Dearborn, Mich., and of volunteer drivers in London. The London project aims to create personalized driving information that can be used to calculate personalized insurance rates.
As usual with data collection, there may be benefits in the long run, but we will have to trust a new set of companies with our information.


Smart TVs in the home are often connected to the Internet. Credit Yonhap/European Pressphoto Agency

Ford’s new chief executive, Mark Fields, said at International CES that Ford understood the responsibility.
“We believe customers own their data and we are simply stewards of that data,” he said. “And we commit to being trusted stewards of that data.”
But many companies have failed to safeguard customer data over the last year, so companies like Ford may have to do a lot more than commit. They will have to be transparent about how they protect our information, and make sure customers know what they are opting into when it comes to sharing information.
Customers seem wary. Accenture, the research firm, released a study this week that said consumers around the world doubted whether their personal data was secure online. With companies of all stripes suddenly interested in collecting reams of information about their customers, both on the Internet and elsewhere, those concerns are likely to continue.
And as Chris Babel, chief executive of the data privacy management company TrustE, noted, we are still in the very early stages of the Internet of Things.
“Everything is still very siloed and it’s not very connected,” he said. “But there’s massive amounts of value when it gets connected — both from the users’ perspective and from the hackers’ perspective.”
Mr. Babel echoed the advice of the Ms. Ramirez of the F.T.C., who said companies needed to “prioritize security and build security into their devices from the outset.”
She recommended privacy and risk assessments in the design phase of new products, forcing users to set new passwords instead of using default passwords on sensitive devices like Internet routers and using encryption wherever possible.
So if you are creating a smart home for yourself, keep security in mind. Think twice about what you connect to your network. And hopefully security will evolve in lock step with the connected world we are entering.


Post a Comment