On A Personal Level
The IoT (Internet of Things) and the use of Cloud storage is all the rage. Products which utilize the IoT, like Google’s Nest devices, learn from your actions and make changes accordingly. With the Nest thermostat, you simply adjust it a few times for the temperature you prefer, and the device “learns”and takes over from there. Nest cameras allow you to view the interior or exterior of your home while you are away. Other Nest products provide monitoring of other home related issues such as CO levels. But what are products such as these actually learning and moreover, what are they storing and sharing?
Let’s look at the thermostat first. It learns when you turn your heat/AC up or down, it learns the temperatures you prefer, and it stores that data in the Cloud. While there is no implied consent to share this data when the thermostat is purchased, imagine how valuable that information could be. The Nest thermostat collects and stores information on whether or not it is being installed in a home or business, the location address and zip code, when you come and go, and occupancy and movement within a room. Imagine if that information were available to a tech savvy thief. They would no longer have to case your home or business before a robbery. The thermostat does that for them.
Want to add a Nest cam? Well! That makes life even easier for a would-be home-invasion professional to meet his daily quota. The Nest cam links to other Nest devices Via Nest Works and stores streaming video, as well as a location identifier. You or others whom you give permission, (e.g. a developer with Works) can access the following information at will:
- View camera or mic status
- View or change streaming status (turn camera streaming on/off)
- Device name
- Where identifier
- Last online status change
- Subscription status (enrolled/not enrolled)
- Links to live camera feed in the Nest app (iOS, Android) or on the web
- Content related to the last event that triggered a notification, such as sound or motion detected, event start stop times, and links to image and gif files
According to additional information provided on Nest.com, if you have multiple Nest Products interfacing with one another, the products will share information with each other. Sharing can occur locally among connected devices (both Nest and third-party devices), between Nest Products and your mobile devices or applications, or among Nest’s servers. So, if the system is hacked, not only does a tech savvy thief know where you live and when you’re home, there is the potential for them to peruse your home via video cam to locate and ID the possessions in your home that they would like to steal.
Nest freely admits that they will share your information (with your permission) when you choose to connect to third-party products and services through Works. They will also share it with partners, such as insurance companies. Following the “with your permission” statement, however, comes an additional statement that causes me concern. “We may also receive information from our partners and other sources and combine that with the information in your Nest account. For example, in order to offer rewards programs, we might receive information (such as which of our partners offers services where you live) to determine eligibility and efficacy of our programs.” The implication here is that permission is not needed to share information in this instance.
So, now Nest has stored (among other things) your address, your occupancy information, your Wi-Fi network information, your email address, and video of your home, on the Cloud. Nest shares your information (with your consent) if you sign up for programs offered by Nest partners which include energy and insurance companies, as well as with vendors, service providers and technicians who assist with Nest processing and storage. With all that sharing, how secure is the information? Even putting aside the possibility of Cloud hacking, the replication and transmission of the types of personal information Nest collects and stores provide a plethora of chances for information to be purposely or accidentally misused.
Is the previously outlined home theft scenario a potential reality or just a remote possibility? The threat is very real. Otherwise, Nest would have no need to post its “responsible disclosure policy.” The policy asks security researchers who believe they have identified a security vulnerability to contact Nest immediately, and give the company a reasonable amount of time to respond to the information before making the information public. It also asks that the person who discovers the vulnerability not access or modify user data without permission of the Nest customer. If the researcher acts in good faith and does not degrade the performance of Nest services, Nest promises not to take legal action against the person. Now I ask you, how many hackers or cyber thieves are going to notify Google Nest that they have found a way to hack the system? Sure, Google provides a reward for submitting this type of information, but how does that reward compare in value to the ability to case and burgle a multitude of homes with so little effort?
The Bigger (and Scarier) Concern
While home safety is important, there are larger concerns associated with the IoT. Have you ever heard of Stuxnet? It was the world’s first digital weapon, developed to cause centrifuges to malfunction, delaying the production of enriched uranium (and nuclear weapons) in Iran. Over a five month period it was responsible for the loss of almost a thousand centrifuges, significantly reducing the enriched uranium production at the plant. If you’re interested, the following url (https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet) will take you to a report about Stuxnet and its results. The simple explanation is that using USB hard drives and targeting computers at five outside companies that were linked to the uranium plant, Stuxnet insinuated itself into the plant’s computers and wreaked havoc until it was finally discovered. In this instance, the US and Israel worked together to target Iran. What happens if the target is us?
Is targeting the US a possibility? According to The Global Risks Report 2016, 11th Edition, released in February of this year, cyber attacks are the greatest risk North America faces this year, followed by data theft. The report notes that everything from personal finance to national infrastructure (anything managed via some form of computer network) is vulnerable to attack, and the IoT is making those attacks easier than ever to initiate because of the linkages it promotes. The report points out that as The IoT continues to grow it brings with it some definite benefits, but it also opens the door for issues such as “economic espionage, cybercrime, and even state-sponsored exploits – that are increasingly perpetrated against businesses.”
Not only is cyber attack a possibility, it is a harsh and expensive reality, costing US businesses billions of dollars. In the past year alone we have heard about successful cyber attacks against the OEM, which is responsible, for among other things, maintaining files containing personal information on US government employees who applied for top-secret security clearances (it appears that these were the files targeted), Sony, Anthem and Premera Blue Cross, US natural gas systems, and several other large US corporations and government offices. Fingers have been pointed at both China and North Korea, but one of the issues with cyber attack is that it can be extremely difficult, if not impossible to prove who is responsible for the attack.
One of the latest Cyber attacks to come to light is an attack on a New York Dam by hackers in Iran. The White House is expected to release information concerning this attack in the next few days. According to a March 10, 2016 article by John Bonazzo, a writer for the Observer, the hack of the Bowman Avenue dam occurred in 2013, while the U.S. and Iran were negotiating the recent nuclear deal. The malicious software used, only provided access to back office systems and not the operational services of the dam. We lucked out.
Bonazzo talked with Leo Taddeo, former Special Agent in Charge of the Special Ops/cyber Division of the FBI in NY and current CSO of Cryptzone, concerning the attack. Taddeo told the Observer that “the continuing automation of infrastructure by the Internet of Things was cause for concern in this case” because “the more things are interconnected, the more chances an attacker has to get access to things we care about, including the equipment and infrastructure that keeps us safe,” He continued by saying, “Even though this attack wasn’t successful, it shows we need to be vigilant.”
Smart sensors already exist that among other things, control industrial plant systems and link to each other and to a central hub to provide information that allows companies to monitor and identify potential issues with manufacturing equipment, correcting problems before shut-down is necessary. Several companies are now in the process of developing and introducing products like GE’s Predix, a cloud based industrial internet platform that takes the information these smart sensors and other similar products produce, aggregates it, and stores it via the Cloud. According to the product brief, Predix “is machine-centric, supports heterogeneous data acquisition, storage, management, integration, and access, provides advanced predictive analytics, guides personnel with intuitive user experience, and is delivered securely? [emphasis mine] in the cloud.” It basically takes Big Data and allows it to be used in a meaningful way.
But what happens when the system is hacked? I can’t help but believe that if anyone understands the dangers associated with our current path toward total integration of anything and everything on the IoT, it would be Leo Taddeo, and he is definitely concerned. Shouldn’t we be, as well?
I would like to hear your opinions as well as concerns and rebuttals against the inherent dangers presented by the IoT.