The (Exposed) Internet of Things

The so-called Internet of Things is certainly an important commercial trend, from FitBits to Nest thermostats. Yet, for all the potential virtues and benefits, it's apparently not very secure from a privacy standpoint. A recent examination of a search service (Shodan) devoted to crawling the IoT found that you can see a lot of amazing things -- sleeping children, marijuana grow rooms, classrooms, and so forth -- because security on webcams is either poor or non-existent.

Quoting from the ArsTechnica article:

The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true. Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on. While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.

The root cause of these insecure webcams is the drive for the minimum viable product, along with consumer hesitation to pay much. Manufacturers have scrimped on security to lower prices, and consumers are ignorant of what kind of access this can give to hackers, search engines, or just curious passers-by in the virtual world.

Groups are working on security rating systems so that consumers can gain insights into vulnerabilities before purchase, and the US Federal Trade Commission is becoming aware of the problem. It has already gone after more than 50 companies that did not reasonably secure their devices or networks, and has more on its docket. The US Department of Defense and DARPA are also concerned and involved. However, this is a worldwide problem, and the US government's involvement is only the start.

One model being discussed is the UL model used to set standards for electrical devices. If something is UL-approved, it meets basic standards for safety and construction. Some critics deride this comparison as imposing a lot of bureaucracy for little benefit -- after all, UL listings assure that manufacturing is sufficient to support the intended use, but are not built or developed to deal with intentional attacks on the electrical grid. The question remains how to build cyber-infrastructure that fends off intentional attacks. As one expert states:

Our dependence on technology is growing faster than our ability to secure it.

Opportunities exist for information providers, and the ArsTechnica article does not touch on the number of connected devices being developed for professional and scientific use. What kind of risks exist? I touched on this in an essay in 2013, which noted that the level of cyberwarfare was already high then. With the growth of tensions around economic and ideological matters since then, the level of hacking has only increased. Publishing, e-commerce, and customer data platforms are under a nearly constant barrage of probing attacks from outside sources with presumably unsavory intentions. As one expert wrote a few years ago:

In 10 years, computers will be everywhere we look, and they’ll all have wireless. Will you be able to compromise someone’s insulin pump through their car? Will you be able to induce seizures by subverting their house lights? Will you be able to run these exploits by cell phone? What’s possible? It’s more like ‘What won’t be possible?’

It's important to see things for what they are. The "Internet of Things" requires placing connected Internet devices all around us. The implications of doing so are not clear, nor is the necessity or value. Technology is not benign, its benefits are not automatic.