Monday, March 7, 2016

Internet of the Least Secure

I Say Securi-Tah, You Say...

One of my favorite Twitter accounts is SecuriTay (@SwiftOnSecurity), purported to be Taylor Swift commenting on the state of consumer data security.  From it, you get gems like:


The author has the same sense of "Yes it's serious, that's why I mock it" that I'm reaching for here.  He/She/It reminds us that the vast majority of us are both as opinionated and clueless as a pop-diva (or actor) at a info-sec convention: that this conversation about how to secure the Internet of Things is over most of our heads.

Even if you manage the user database for a corporate IT system and understand levels of privilege and how to assign them, much of that does not apply to your home life or your social life or your commuting life.  Yet the systems that we are asking to augment (govern) those parts of our lives are generating usable, traceable, exploitable data.  And we are rarely assigned root, or admin, or even power user privileges (just try deleting your FB profile or using YouTube without G+ (though that's changing. Some.))

Won't Someone Think of the Children?

However, because we all have access to the internet and a keyboard or camera or microphone or all three, we feel that we can comment on things that are way over our heads.  Many of those comments as they relate to the Internet of Things are about protecting children and other innocents, those who are not savvy in the ways of the World Wide Web (and other less reputable networks).

And yet... Ultimately, we are all children in this space.

We parents post about our children on FB or Instagram or wherever without thought.  Yet we are concerned about them posting on-line?  We know better?  Maybe.  But by posting, the information is out there: you have a child and at this date they were this old...  For a child predator, this is enough.  Is it enough to outweigh the convenience of instantly sharing your incredible child with your friends and family and basking in the precious likes?  That is left for each of us to decide.  As it should be.  These are supposed to be tools that augment our lives, not limit them.

Love me, Fear me

The truth is that we are living in this on-line space, but it's complexity is becoming unknowable: too many standards, too many variables from this site to that.  How do we deal?  Are we to be governed by fear?  Are we to throw in the towel and let it all hang out?  The answer is somewhere in the middle: be conscious of what you share and where you share it.  Who are you sharing your content with?  If others see this, what will they learn about me from it? Always keep that old saw about seeing IT in the NYT in the back of your mind.

But all of that is generic to our lives on-line.  When dealing with the Internet of Things and a burgeoning Smart Home, the rules are actually simpler:

  • Change all of the defaults: usernames, passwords, IP addresses, TCP/IP ports, etc.  Too many people still have an old router with the factory default passwords and that is an opening just screaming to be exploited.  Not doing this is a big reason why sites like Shodan can exist.
  • Regularly schedule password changes.  Your work IT support schedules this on a monthly or quarterly basis.  Use that schedule at home.  Or tie it to something that fits with your home: furnace air filter changes or oil changes or haircuts.  
  • Don't put anything in your home in a place that you would not be comfortable being sensed by others.  It may seem like a good idea to link an IR sensor to the bathroom light so you don't have to fumble around in the middle of the night, but now someone will know if you are in the bathroom or not.  Maybe you don't want that.  (Maybe you do.  Hey, I'm not judging).
Finally, please keep in mind that the programmers (not the companies who build all this stuff) that build the code for IoT products are usually much more aware of security issues that the federal government.  Which is good.  However, they have to code for the least common denominator.  Which is bad.

Be better than that least common denominator and you should be okay.

No comments:

Post a Comment