Hacked Fridges Aren’t the Internet of Things’ Biggest Worry


As we start to connect more and more of the things in our lives to the web—from our cars to our to thermostats to our barbecue grills—it’s hard not to worry about those things being hacked. No one wants their toaster to become a spambot, after all.


But Ken Westin, a security analyst at the software company TripWire says it’s not the things in the Internet of Things that we should worry about. It’s those cloud servers with vast databases of personal information gathered from all those connected devices. “It’s kind of sexy to talk about hacking a refrigerator, or about how our watches are going to be hacked,” he says. “But if you look at hacking, it’s a business. There needs to be an return on investment.”


Ken Westin. Ken Westin. courtesy Ken Westin

And in the business of hacking, it’s not the device that’s valuable. It’s the data they generate. Not that individual devices aren’t a problem. They’re notoriously hard to secure, and can be trivially easy to compromise because so many people fail to change the default user names and passwords. But they don’t tend to contain a ton of data—at least not compared to the servers with which they communicate.


The biggest return on a cybercriminal’s investment, then, isn’t in hacking some rando’s toaster, it’s in grabbing data from thousands of users at a time by hacking servers. Consider the seemingly never ending string of high profile hacks, from Home Depot to Target to, of course, Sony. Each of these incidents spilled user names, credit card details, or other information onto the web. And that’s just the beginning.


Your Data Self-Portrait


We’re putting ever greater amounts of data into the cloud. Nest knows which rooms in your house you spend the time in, and when. Smart appliances transmit our voice commands to their manufacturers. Car insurance companies deploy tracking devices to gauge driver safety. Fitness trackers know our heart rates and how many steps we take each day. The photos we upload to Instagram may include geographic coordinates. In addition to the information we deliberately post to Twitter and Facebook, social networks could log other information, such as how often we log in and what times we generally post.


Individually, it might not seem like much of this data would be problematic if it were leaked. But as it starts to be combined in new ways, this data in wrong hands could come back to haunt us, perhaps even years later.


“As we interact with our devices there’s this trail of digital exhaust that we leave behind,” he says. “Once you combine this data and create very rich profiles of people, I worry that it’s going to be the death of privacy.”


And those profiles become even richer when our homes themselves are conveying intimate, constant data about our minute-to-minute actions in our own homes.


Follow the Data Trail


Westin knows how damning these data trails can be. He used to use them to put people in jail back when he ran GadgetTrak, a company that helped victims recover stolen devices like digital cameras, laptops, and smart phones. The key was following all the different digital bread crumbs users leave behind without even realizing it. “One piece of data is great, it gets us in the ballpark,” he says. “But there’s always additional information from every interaction we make.”


For example, he was once able to trace a stolen USB device to a college computer lab. That wasn’t enough to find the culprit, but the school required a student ID card to enter the lab, and kept logs of who had used it. With that data, along and surveillance footage from the college’s security footage, Westin and company were able to pinpoint the thief.


Now Westin worries that the same techniques that he used to catch criminals could also be used by criminals to spy on, well, just about anyone.


Only What’s Needed


It’s hard to say exactly how our data might be misused in the future, and it will likely vary from person to person. Westin says the worst case scenario might be espionage: countries hacking Internet of Things servers to get dirt on political officials. But for most of us, the risks will likely be the possibility of mildly to severely embarrassing information finding its way into the wrong hands.


Today hackers often sell databases full of stolen credit card numbers, social security numbers and passwords. In the future, these databases could include even more personal information gathered from sensors and connected devices. A stalker, or someone with a grudge against you, could go to these marketplaces, find your personal info, and buy it. Or the hackers could try to sell your data back to you for a fee.


Westin says the most important thing that companies can do to help protect their customers is to stop gathering data that isn’t necessary for the operation of the service. Beyond that, they can encrypt the data they do collect — preferably in ways that only the customers themselves can decrypt. New laws regulating what information can be collected, and how it can be stored, may also help.


What We Can Do


Individuals, meanwhile, should think about what types of data they’re producing, and where that data is ending up, and when possible, choose products and services that don’t collect information or that have clear policies and guidelines on how that information is stored and protected. This could be tough, however, with so many makers of connected devices eager to suck up valuable data on their customers.


Despite his concerns, Westin is actually pretty optimistic about the future. Yes, there’s been a rash of bad news for privacy in recent years, ranging form the Snowden revelations to Lenovo shipping adware by default on its laptops. But those incidents are bringing more awareness to the issues.


“We’re becoming more privacy conscious,” he says. “That’s the silver lining. It’s all moving in the right direction.”



No comments:

Post a Comment