Monday, March 28, 2016

You Have Already Lost

IoT Security, take 2 (at least)

A couple of weeks ago, I took a stab at the current buzz issue dealing with the Internet of Things: Security.  The bottom line from that attempt: update the defaults and you don't have anything to worry about*.

After reading many articles on IoT security, I feel that I may need to amend that rather blithe recommendation.  With all of the information that corporations, governments, and service level workers have on each of us, your security is no longer in just your hands.  You are now at the mercy of whatever information security policies that all of those entities have put in place.  The result:

You have already been compromised.

And it is not even your fault because it is almost impossible to live in a western, first world economy and avoid having your personal information stolen.through your security.  Think of all of the ways that we offer our information to people without vetting their ability to protect it:

  • We hand our credit cards to waitstaff who then walk away to a back room and do who-knows-what.
  • We trust that there is nothing funny with the ATM or credit card reader whenever we swipe.
  • We give our address and other payment information to credit card companies, on-line shopping sites and other places and assume that they have policies in place.  That's turned out well for Target, Sony and several others.
  • We set up our personal email accounts with large corporations who make their money by selling our information (albeit at one remove) to other large corporations who want to sell us something.
  • We trust our government with our information.  A government whose own level of bureaucratic  security is no match for the military grade attacks that it is receiving.  For that matter, the government itself is looking to ensure that all of our security is delicately compromised, though only they will have the key (#sure).

Not doing these things is all but impossible in an advanced economy.  What's even worse is that as soon as one security hole is patched, another appears.  This is a 'warhead versus wall' paradigm ('para-dig-em') and the warhead always wins.

What is a person to do?

There are several options.  First, you can cut all ties with technology and live in the wilderness and ignorance scared of Those-Who-Must-Not-Be-Named.  If you are like me, this is not an option worth considering.  How can I chill without NetFlix?  Who would I call out to for my music?  #notgoingtohappen.

What else, then?  Most of the big data security breaches have been to gather personal information so that thieves can steal identities and make purchases using credit cards or bank info.  Only some of that is relevant to the Internet of Things and SmartHome technology.  The best way to deal with a fight you've already lost is to have a plan and know what to do ahead of time.

Securing Your Security

What is relevant to IoT and home automation is planning.  When starting out with your SmartHome system, there are two basic approaches:

  • Roll your own.  This approach assumes that you are setting up your own servers, cloud and doing most of the pairing and integration work yourself.  Programs like HomeSeer and OpenHAB rely on you to do more of the work, but also allow many more levels of customization and, because they are local and generally not tied to a large corporate server, more secure. You can even step off the deep end and use a Raspberry Pi.

    The downside is compatibility.  While you'll be able to find sensors and switches and such, larger items will be more difficult.  Connected refrigerators and smart door locks are usually locked to the manufacturer's cloud and won't integrate with a home built jury-rigged system.

  • Use an existing 'ecosystem'.  Here we're talking about something like Apple's HomeKit, Google's Brillo/Weeve/Works-with-Nest, AT&T's Digital Life, Comcast's Xfinity Home, and Samsung's SmartThings.  Here the initial heavy lifting is done for you.  There's no need to learn how to open ports on your router or determine the best mesh network for your needs.  Instead, look at the manufacture's list of compatible devices and go.

    Here the downside is that you are relying on their cloud security to keep your home secure.  Who are the faceless minions that maintain their servers?  Why might some group of hackers, corporate rival or government want to attack them?  In fact, what is that manufacturer themselves doing with the data that they collect on you?  You don't know.  Even if you read the Terms of Service document, it's really had to know.
The real choice here is control versus time/convenience.  Why are you getting in to home automation?  If it's more about security, then roll your own.  On the other hand, if you like the convenience of switching things on and off from around the world, having your TV turn on when you roll into the garage, but don't have the time to delve into nested if-then statements, go for a pre-built platform.

But if you do go for the pre-built system, try to stick to one.  While you can add Alexa to SmartThings to Hue to Nest, each additional service does not double your chance of exposure, it raises the stakes exponentially.

I think I've ground this into the dirt.  Beaten a dead horse.  So I'll end it.  Here.

*My advice should be taken at your own risk.  My sense of responsibility for your actions is a fart in the wind.  That's enough CYA for now.

No comments:

Post a Comment