On the Internet, nobody knows you're a toaster
08 December, 2014
What’s being done with the data?
At first blush, the information that these various connected devices collect might seem innocuous to the average consumer. Who cares when my Nest Thermostat kicks on or what’s on the grocery list of my Web-enabled refrigerator?But hackers could use the thermostat data to monitor homeowner schedules and determine ideal times for burglaries. Health insurance companies could track grocery lists to evaluate if an individual is eating too many processed foods and subsequently raise premiums based on dietary habits.
“There are huge privacy implications,” says Steve Shoaff, CEO and founder at UnBound ID. “The Internet of Things has an identity problem. At the end of the day there is a device connected to the Internet, meaning more than one person can benefit from it. How do you make sure only authorized people have access to this information?”
Shoaff admits to be an early adopter for the Internet of Things, but he has concerns about how the data is secured and used. The access to data from the set-top box and Nest thermostat alone can be enough to cause problems. “You would be able to tell that someone is in the house and that they’re watching Nickelodeon,” he says. “This could be valuable information to somebody.” The dangers are largely being ignored, Shoaff says. “The issues surround who controls the flow of data and how an individual can manage implicit and explicit preferences,” he explains.
The Nest Thermostat has sensors that could detect when a person is in the home as well as learn about a user’s preferences over time. In the future these capabilities will certainly increase, and it’s what Google will do with those preferences that has Shoaff concerned. “I want to control that data,” he says. “I don’t want Google knowing how much body mass index it detects, let alone what it will do with that information.” While authentication to these devices is important, the bigger issue is the flow of data, where it goes and who controls it. “The identity needs to be decoupled from the applications,” Shoaff says.
Rather than shove a bunch of identities into every application, Shoaff suggests applications should consume identity attributes on an as needed basis. In this model the user’s identity is stored in a high-security platform and the applications are granted access to specific identity information. All identity and personal information is also secured and encrypted. “This is the consumer-centric view of identity in which the individual is a customer who enables specific services and subscriptions,” Shoaff explains.
Securing the actual devices
Control of the data produced by these new devices in the Internet of Things is important but also paramount is making sure the devices are secured properly. “The goal is to protect these devices, any identity-related details as well as make sure that any information sent back is safe,” says Johan Sys, managing principal for identity and access management at Verizon Enterprise Solutions.
WiFi-enabled light bulbs were hacked earlier this year by Context Information Security. LIFX bulbs connect to a WiFi network in order to enable a user to control them using a smart phone application. In a situation where multiple bulbs are available, only one bulb will connect to the network. This “master” bulb receives commands from the smart phone application and broadcasts them to all other bulbs across the wireless network. After spending some time with the bulbs, researchers were able to sleuth out the encryption algorithm and gain an understanding of the network protocol. With some additional work they were able to capture the WiFi network details and decrypt the credentials without authenticating or alerting the user to their presence.
It’s likely that attacks such as these will increase as Web-connected devices and systems become more prominent. “We have seen less than 1% of what’s going to happen with identity and the Internet of Things,” says Sys. “It’s the biggest growing focus by far.”
On one hand, securing identities for these devices is easy as compared to doing it for employee or consumers. “Employee’s change identities throughout the course of a day,” Sys says. “These identities remain static.” But there are a lot more of these devices out there than people and not all of them have the ability to handle cryptography. The attacks are also new. “We understand the attack vectors against the enterprise,” Sys says. “With the Internet of Things it’s more complex, we know these attacks have consequences but we don’t yet know what they are.”