Building for the Internet of Things Is Great—Just Keep Security in Mind
The Internet of Things gives makers the ability to fuse art and science. Where else can you connect a toothbrush to the Internet to track your tooth care routine, or ask Alexa to warn you when your mother-in-law’s connected car is within ten minutes of your house? You get to build mobile apps and cloud apps, as well as learn how to wield a soldering iron.
But with great freedom comes great responsibility. We have to ensure that the devices we make are safe and that the user’s data remains secure.
With a connected toothbrush, the worst safety case may be that you chafe the user’s gums—or perhaps you could make it explode in their face. So I brushed my teeth only fifteen seconds one day and skipped my nightly brushing last Saturday. Who cares about the data?
Then again, what if that data is merged with your overall dental records to enable your insurer to charge higher rates to those who don’t practice good oral hygiene? Your dental records may coexist with your medical records, which contain a good deal more details about you, and also may include billing information.
But the IoT isn’t just about smart home products, such as toothbrushes, thermostats, light bulbs, and security cameras; it’s being used in many enterprises, even some we think of as largely manual operations.
For example, agricultural equipment is being instrumented with telematics units to track their movement and even control them remotely. Imagine an exploit where the attacker configures the seed planting depth at six inches rather than two inches, so the crops never break soil. The attack may not be detected for a few weeks and would cause a crop shortage.
There’s a related—and possibly more serious—attack, though: data such as type and number of seeds planted, and soil and weather conditions, are collected and stored centrally. An attacker who gains access to that data could manipulate crop futures markets.
Clearly, one of the major assets of the IoT is the immense amount of data collected about the environment that the “thing” is monitoring, including human activities and behavior. Consumers are—rightfully—concerned about the privacy implications: Their movements are tracked through GPS units in connected cars and fitness trackers; they are identified at locations instrumented with cameras and facial recognition software; mobile phones emit a “fingerprint” that can be picked up by IoT devices. Effectively, technology is always watching you.
There are huge opportunities to transform everyday life into frictionless interactions between humans and machines. However, the IoT also means that the technological attack surface is everything.
Makers learning how to build IoT devices must also learn how to build safe, available, and compliant devices. Security underpins all those properties, as well as safeguarding access to sensitive data. So by all means, continue to innovate—just don’t let security be an afterthought.
Christopher Poulin is presenting the session The IoT: Internet of Threats? at the IoT Dev + Test 2017 conference, April 24–28 in San Diego, CA.
