Security Experts: Why Smart Home Devices Should Scare You
WASHINGTON — In a rowdy but good-natured debate here at the ShmooCon security conference Sunday (Jan. 21), four experts debated the worth and dangers of Internet of Things devices.
Credit: Daniel Krason/Shutterstock
Despite the light tone, all the experts found it difficult to say many positive things about the current state of connected devices.
"Imagine if you took computing back in the '80s and decided there wasn't enough of it, and there weren't enough security flaws," said Wendy Nather, an information-security veteran who now works at Duo Security in Ann Arbor, Michigan, and who had been assigned the anti-IoT position in the debate. "That's where we are with IoT devices."
"We're heading for a whole mess of trouble, ranging from the cost of cellular service for these devices to de-incentives for actually securing these things," Nather continued, being serious. "We are gonna have all sort of kinetic effects that we haven't seen before."
Her comments echoed a growing concern among information-security experts that IoT flaws, such as those involving connected cars and other transportation systems, may be the first computer bugs that actually kill people.
"Nobody expects the IoT inquisition," Nather said. "We are so not ready for this."
Is IoT like the early auto industry?
Elizabeth Wharton, a lawyer with the city of Atlanta who is an expert on the safety of unmanned aircraft, took the pro-IoT side. She began by comparing the state of the IoT industry today to that of the automobile industry in the early 20th century, when start-up car companies scrambled to get a piece of the market and safety considerations were not much of a concern.
"Are you suddenly gonna find that your insurance premiums have gone up because your heating system detects that you're out every weekend until 2 or 3 in the morning?" -- Jack Gavigan, information-security expert
"When we started out in automobiles, there was a lot of work to be done," Wharton said. "We didn't have the safety features we have now. We didn't have the gas mileage we have now."
She said that connected cars would be able to reduce traffic jams by coordinating their speed and automatically taking routes to avoid accident scenes and other obstacles. Wharton also pointed out that regulation of IoT devices was catching up to reality, citing the Federal Trade Commission's recent fine against Hong Kong toymaker VTech for improperly handling children's personal data.
"There is some good to be found from connected devices," Wharton said.
Nather countered by saying that Wharton's lukewarm arguments in favor of IoT devices had "made many of my rebuttal arguments for me."
"Yes, the FTC is taking part in this, and I enjoy it when they say, 'Stop, or we'll say stop again!'" Nather continued, using the punchline to an old joke about the effectiveness of weaponless British police. "And I really enjoy their success with devices made outside the United States, which is about 99 percent of IoT devices."
'Think of the Children'
At that point, Wharton gave up sincerely arguing in favor of IoT devices and switched to sarcastic comedy.
"Think of the children," she said with exaggerated false sanctimony that was a bit scary. "Give them an opportunity to be a superhero. To be able to connect with their cohorts around the world. Children are the future — the connected future. Don't forget that the government is watching, and that's OK."
Jack Gavigan, an information-security expert who used to trade for Morgan Stanley and is now the chief operating officer of the company behind the Zcash cryptocurrency, jumped in with a serious point about IoT devices, even though he was supposed to be part of another debate.
"There are two big worries with IoT," Gavigan said. "First, is someone gonna hack into my fridge and have 500 steaks delivered to my house? But second, are you suddenly gonna find that your insurance premiums have gone up because your heating system detects that you're out every weekend until 2 or 3 in the morning?"
Gavigan was referring to something that's already been seen with some connected-car devices — speed sensors report driving habits to insurance companies, which adjust premiums accordingly.
"Regulatory rules generally take a while to catch up," Gavigan added. "It's up to us in this room [i.e., the information-security community] to help the regulators understand the threats."
"These IoT devices will be harnessed for bots to generate cryptocurrency, which is the future," joked Jack Daniel, a tall, white-bearded veteran hacker who had dressed in a monk's robe for the other debate and had been introduced as "Gandalf."
"How will blockchain help IoT in the cyber?" yelled a mocking voice from the crowd.
"Put everything on non-private immutable blockchain so that nothing can ever be fixed," retorted Nather.
Solutions in Search of a Problem
Wharton finally abandoned her assigned pro-IoT stance and lamented that many connected devices were solutions in search of a problem — for example, cloud-connected sensors in municipal parking spaces.
"If you are trying to track parking spaces, there is no need to have sensors and data collection if you're just wondering if a parking space is in use," Wharton said.
Nather amplified that sentiment with an exaggerated example.
"If you want to know what the weather is, you could go outside. Or you could send a drone out there," Nather said. "If it comes back wet, it's raining. If it doesn't come back, it's really windy."