When the story broke, Samsung admitted it was logging users’ activity and voice commands, but claimed users agreed to in the terms and conditions, and had enabled the function when setting up their TV. The option could be turned off.
In truth, Samsung was engaging in what many companies do, which is to learn from voice commands in order to improve the service. Use Siri on an iPhone and something similar is taking place. But the episode publicised just how dangerous it could be to install internet-connected devices.
Even in the industry right now you’ll find a unanimous verdict: internet of things (IoT) security is a red-hot issue.
Security testing firm Pen Test Partners loves exposing flaws in IoT devices. It’s hacked a wi-fi kettle, bathroom scales and got a children’s doll called My Friend Cayla to “to swear like a docker, a very sweary docker at that”. The security flaws ranged from mild to serious. The IoT kettle could be hacked to keep it continuously warm to consumer electricity. That’s a two out of ten nuisance. The bathroom scales could be used to seize control of an entire wi-fi network. That’s far more serious.
A recent study by HP found “70 per cent of the most commonly used internet of things devices contain serious vulnerabilities”. On average there were 25 vulnerabilities per device.
These flaws mean hackers can use IoT devices to spy on you with a webcam, to take control of your network, make your lights flash on and off, steal account data, and listen to your conversations. And what other devices with IoT capability? It is speculated that car engines could be shut off in the middle of the M1. Airbags deployed. As for medical devices and airlines… how gruesome is your imagination.
Should we be panicking? There are two schools – optimists and pessimists. Both admit the security situation right now is poor. But the former believe patching things up will deal with the threats, just as online banking keeps the hackers at bay despite the odd glitch.
In order to assess the situation, it is worth reflecting on who might pose a threat. Hackers, obviously. Malevolent folk may want to steal your money, spy on you or simply make mischief. Ordinary hackers already spy on people at home by taking control of webcams, known as “ratting”, after the remote administration tool which gives them access. A BBC investigation cited a 20-year-old student who realised she was being observed while watching a DVD in the bath.
Try and turn off your lights using an IoT mobile app and you might find you plunge a family in another country into darkness
Legally permissible intrusions are more subtle. The device-makers may wish to learn more about you. Google, Apple and Facebook already do all they can to observe consumer behaviour to improve their products. Unscrupulous device makers may use terms and conditions to be even nosier.
Governments may demand covert control of your devices. Rogue agent Edward Snowden revealed the US National Security Agency (NSA) was using backdoors provided by umpteen technology giants to spy on e-mails, pictures and the location of unsuspecting people.
Some of the NSA cases were pretty creepy. Agents engaged in LOVEINT – spying on persons of love interest. Spouses, partners or just member of the public they found attractive could be monitored. One agent admitted spying on six e-mail addresses belonging to his ex-girlfriend. Not great to know the government may also be doing it.
We can add to our list of potential malefactors – rival device manufacturers who wish to sabotage or learn from other devices, viruses that don’t care what they get access to, corporate raiders looking for business information, as well as accidental intrusions. Try and turn off your lights using an IoT mobile app and you might find you plunge a family in another country into darkness.
The onus is on IoT makers to up their game. Scott Cairns, chief technical officer at T-Systems, says the appetite to be first to market is undermining security. “An inherent problem is that the engineers inventing and adding nodes to the IoT on a daily basis are not security experts and more often are not implementing comprehensive security measures.
The pace of expansion of the IoT is far outstripping the required security being employed,” he says. This needs to change.
Consumers need to do their bit. If consumers blindly agree to all terms and conditions they are poorly placed to complain about legal intrusion. The trouble is the “small print” can be impossible to read. This needs remedying says AVG anti-virus senior security evangelist Tony Anscombe.
“The industry needs to make everything clearer. They have a responsibility to make sure consumers know what they are agreeing to and right now the documentation isn’t helping. Perhaps a simple, graphical format would be best,” he says. The website TLDRLegal.com is attempting to provide an easy-to-read summary of end-user licence agreements. It is a work in progress.
Keeping software up to date is vital. Sadly, many consumers can’t even keep their main PC protected. A survey by security firm Secunia shows 11.5 per cent of private PCs in the UK are unprotected. Almost half are using Java Oracle 7 rather than 8, with three-quarters not updating in a year despite more than 100 known vulnerabilities.
Can we really expect the same consumers to update the firmware on their IoT kettle?
One solution is to add barriers to the IoT system. The new Bitdefender Box claims to be a one-stop-shop for IoT security. It installs software updates, identifies vulnerabilities and blocks unauthorised traffic.
Bitdefender’s chief security strategist Catalin Cosoi is under no illusions of how big the security challenge is for IoT. Even “harmless” devices, such as thermostats, pose a risk. “In the much anticipated smart city of the future, smart metering will improve energy consciousness and efficiency, but it’s not difficult to imagine a scenario where energy meter data could be used track our location,” he says.
Should we be pessimists about IoT? Hongwen Zhang, co-chairman of OpenCloud Connect, the industry alliance of cloud and IoT makers, says even if doubters are right, consumers will still enjoy using IoT devices. “Your above items of threat are all valid. However, the benefits of IoT overweigh all these fears. We have passed the point of no return in our evolution path with IoT,” he says.
He warns the real danger isn’t nosy governments or teenage hackers. But something more sinister – artificial intelligence.
Dr Zhang admits this: “On the speculation spectrum, the irony is that we will soon able to build terminators before we figure out how to do time travel. The evil actors may not be humans but ‘superintelligence’ as described by Professor Nick Bostrom of Oxford University in his book Superintelligence: Paths, Dangers, Strategies. Let’s hope humanity avoids those bad paths that lead to extinction.”
He adds sensibly: “We are good at finding cures.” If he’s wrong, dodgy kettles and sweary dolls would be the least of our worries.