Wednesday, 9 September 2015

A distributed denial of things

I have many concerns about the Internet of Things and have written about some of them before.  IoT devices are usually not built with security in mind.  They are often rushed to market in a highly competitive space.  I expect the manufacturers think of security as something that can be added with a firmware update, which  is a hugely problematic attitude especially – as is known to be the case with some devices – the firmware update process itself is not secure.

But a bigger problem is that many devices are specifically designed to actively spy on us.  What other even vaguely plausible reason could there be for your fridge imgresto be internet-connected?  Samsung seems to tout its internet fridge as a replacement for the paper calendars most of use hang on our fridges, but of course you can also run apps and browse the web.  Let’s face it, though: anyone who has a smart fridge most likely has a house festooned with tablets, smartphones and a bunch of other connected devices.  Why would they want to do the same things standing at their fridge that they could do in the comfort on an armchair on their tablet?  Clearly, all the advantages are to Samsung, who are very likely collecting all manner of information about us and our habits.  Fridges are going to be more or less efficient depending on how much food is in them.  This could say much about our shopping habits even without knowing what food is in there.  It could tell Samsung what days we usually shop on.  Combine it with sensors on the doors and it could tell them whether we prefer fresh or frozen foods, what times we tend to be hungry….  And of course, Samsung’s smart fridge has been found to be insecure.  A man-in-the-middle attack could uncover the owner’s google credentials.

There is one very minor reason for having an internet fridge: firmware updates.  A few years ago, my old fridge needed a firmware update because of that model’s tendency to suddenly burst into flames.  A man came round and plugged his laptop into the fridge with an ethernet cable.  There was a period of several weeks between finding out about the problem and it being fixed.  Automatic updates would have prevented this (and for the record, Samsung’s firmware updates seem to be pretty secure).  But this is surely a rare case.  How often does fridge firmware need updating ?  It’s surely worth neither the manufacturers’ money or the consumers’ risk if updates is the only use case.  It’s much more likely that the fridge is spying on people.

This brings me to a yet bigger worry.  One day, we might find that all fridges are internet-ready and that they won’t work unless they are connected.  If this sounds unrealistic, perhaps you’re right.  Perhaps people will start seeing sense.  But think instead about smart TVs.

A couple of years ago, we bought a new TV.  We weren’t looking for anything special, we just wanted something that would sit in the corner and show pictures of things.  But it was virtually impossible to get one that wasn’t HD.  We have no objection to HD, but we’d rather have saved money and got an SD one instead; having HD hasn’t significantly improved our lives.  We don’t notice that we don’t have it (we don’t have an HD subscription to our main provider). 

I don’t think it will be long before it’s virtually impossible to buy a TV that isn’t internet-connected and that requires an active connection to function at all.  Smart TVs (including Samsung’s) are notoriously insecure.  They store voice commands you issue in their data centres.  They report all sorts of data about our viewing habits.  If they have cameras, these register with dozens of companies when you first fire them up, presumably reporting our activities to those companies.

There’s no doubt that surveillance is the business model of the IoT.  My main concern is that sooner or later there won’t be a practical way to opt out.

And here’s another thing to worry about.  How long will it be before we see a Distributed Denial of Things?

No comments:

Post a Comment