Friday, November 3, 2017

Do you understand enough about the Internet Of Things to use it?

This is interesting:
Every time a major Internet-connected-product is released, we keep coming back to the debate over security vs. convenience. The progression of arguments goes something like this:
  • One group expresses outrage/skepticism/ridicule of how this product doesn't need to be connected to the Internet;
  • Another group argues how the benefits outweigh the risks and/or how the risks are overblown;
  • There will be news stories on both sides of the issue, and the debate soon dies down as people move on to the next thing; and
  • Most users are left wondering what to believe.
If you've been reading here, you aren't wondering.
As a security researcher, I often wonder whether the conveniences offered by these Internet-connected-devices are worth the potential security risks. To meaningfully understand the nuances of this ecosystem, I consciously made these devices a part of my daily life over the past year. One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key, where I also said:
A simple rule of thumb here could be to visualize the best case, average case, and worst case scenarios, see how each of those affect you, and take a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.
This is  a really good idea.  The article is long but very thought provoking.  The one thing that I would add is that there isn't a snowball's chance in the Mojave Desert that this will happen.  The reason is that security is the last thing on the IoT designer's minds.  IoT engineering funding comes from one of a very few places:

  1. The existing appliance sales are flat, so quick add Internet connectivity to the refrigerator/stove/etc.  The goal is to raise the price point by adding cool and flash.
  2. Adding Internet connectivity to the device is "Insanely Great" and will let you sell to people who want to "Think Different".  Hey, it worked for Apple, didn't it?
  3. Someone wants to spy on you, and so makes your Barbie doll or whatever "Interactive".

In none of these cases do any of the marketing folks want you to actually be able to understand the risks you are introducing into your home.  Heck, I've been doing this for over 30 years and I can't understand the risks.

And so my approach is to say "not just 'no' but 'HELL no'" to any IoT devices.  Sorry, I don't want a cool refrigerator, I want one that keeps my food cold (at a low cost).  Sorry, I don't care if you think I should "think different".  And as to spying - yeah, that's typically my starting assumption for all of these devices.

That's probably unfair, to the devices and to the people who designed them.  But without the slightest possibility of figuring out just what is being done to me, that's actually my best option.  It very well may be your best option, too.  At least until Silicon Valley marketroids earn some of our trust back.


SiGraybeard said...

I'm stuck at the first one, trying to visualize the best case.

So my refrigerator talks to... what? My stove? My air conditioner? What do they have to say to each other? I don't want my refrigerator re-ordering food from the store. Is my refrigerator supposed to tell my washing machine, "they're having spaghetti sauce, be prepared to wash it off clothes?"

The A/C is the single most expensive appliance in the house. I can't think of anything it could get over the internet that would help me.

I saw a refrigerator at the orange Borg that had LCD displays on the front. So I don't have to open the door and see what's in it? That's the only remotely reasonable use.

Rick C said...

"I can't think of anything it could get over the internet that would help me. "

Nonsense. It can help you save money by throttling your electricity on heavy-usage days.

Borepatch said...

It can help the Electric Company save capacity investment by throttling your electricity on heavy-usage days.

There, I fixed it for you. ;-)

Jeffrey Smith said...

Theoretically you could turn your AC on an hour before you arrived home, avoiding both having it on all day and coming home to a stifling hot house.

But for me the benefits are not enough to justify the known risks, much less the unknown ones.

Besides, a hundred years ago, not only dud they not have internet connected refrigerators and air conditioners, they didn't have refrigerators and air conditioners. But they managed to survive.

Antibubba said...

I know enough about the IofT to not use it.

Jonathan H said...

Me too - I know enough to not use it until the companies making it show that not only will it help me AND be reasonable priced AND not have any drawbacks (primarily security, but also others, as the Nest recall for accidentally turning off fire detection showed).

As I have said elsewhere with unmanned aircraft, driverless cars, etc - these are essentially internet companies bringing a non-critical software view to hardware, and specifically critical software, and either not knowing the difference or intentionally ignoring it.

When they design and program with the rigor that airplane computer designers do, THEN I'll buy in to the technology (and it needs to be competitive in price as well - within 20% or so).