Last October, when a large number of large websites were taken down following a distributed denial of service (DDoS) attack, what number of us thought at the moment that the Internet of Things (IoT) could possibly be involved? Apparently, it had been – and those kinds of attacks aren’t going to stop, according to Ph.D. candidate (she’s studying the political philosophy of technology) and The Coming Swarm author Molly Sauter, the keynote speaker at the inaugural Hacker Connect conference. So what does this mean for us who have made our homes smart?
The negative side with the smart home: be mindful
“The IoT promises to bring us convenience, security, better understandings of ourselves and our environment – but what it actually brings is surveillance and loss of privacy and data,” said Sauter.
What’s the IoT? Sauter described it as “a combination of the deployment of sensors, automation, big data, mobile apps and cloud computation storage, attached to everyday items, processes and systems.”
The IoT includes items like:
Nest (along with other brand name) thermostats to manage a home’s climate
Smart locks to control home entry
Smart video cameras for added security
Smart footballs to monitor your spiral throws
Smart egg cartons to evaluate freshness
Smart jars to reorder your coffee or quinoa
Smart water bottles to track your hydration over time
Mattress covers that turn lights off and lock doors
Even menstrual cups with bluetooth capability
Nest could possibly be the best-known smart home device; it started as an automated remote thermostat system. “It learns your schedule through the day, so when you’re gone it doesn’t heat your house but when you come back, it does.”
Now the Nest includes smoke, carbon monoxide and “works with Nest” related devices, like smart light bulbs and home sprinkler systems.
At the beginning of 2016, Sauter noted, a software glitch caused Nest batteries to drain – leaving users with no heat (in January), and no way to turn heat back on.
The fix was a nine-step process involving a three-hour charge cycle.
IoT TOS
“Like most tech companies, and frankly like most companies, Nest’s terms of service (TOS) agreement – it’s worth noting that it has both terms of service and a licensing agreement – limits damages, prohibits class action lawsuits and requires all disputes to be resolved through binding arbitration in San Francisco,” explained Sauter.
Other products have similar TOS agreements “that disclaim liability and strip customers of their rights to a day in the courtroom,” she added.
So what’s the problem?
Each one of these devices, Sauter pointed out, “fundamentally relies on the cloud to operate, whether to perform analysis or just as a path to other various devices.”
While many among us might think that appears very safe and secure, indeed, Sauter had a stark reminder: “There is no cloud; it’s just someone else’s computer.”
And so, she added, “the magic of the cloud, like all magic, comes at a price.”
What’s the price? Continual transfer of data with regards to you – your habits, speech and possessions – away from you and into a variety of third parties.
“So what?” you could be thinking. But there are actually significant privacy concerns that emerge when you begin to follow the rabbit down its hole.
Consider the smart fridge from Samsung. When you close the door, it’s going to take a picture of all things within your fridge. “This is so if you’re at the grocery store and you’re like, damn, I don’t know if we have eggs – I’ll check my phone from here,” said Sauter. “It’s terribly, terribly convenient.”
However, refrigerators aren’t just for food these days – some people take medication that requires refrigeration. “Does the Samsung smart fridge conform to HIPAA guidelines when taking, storing and transmitting these pictures, or is this just a giant privacy hole?”
And, please remember those third-party recipients of your personal information? Let’s say your fridge and nutrition tracker is associated with your health insurance or your employer? They might not appreciate your nutrition choices.
Lack of redundancy
For technology to be safe and reliable, you need redundancy – proper technological backups to handle failures.
Do you store an extra fridge should your fridge crashes, Sauter asked? A backup thermostat in the event another bug sneaks into a Nest update?
Exactly what does IoT have to do with DDoS?
Sauter suggested a new collective noun for IoT devices – “a botnet of IoT devices” – and used it to describe the fall 2016 internet outage.
“When you type a URL into your web browser, you’re typing a human-readable URL,” she noted. But Google lives at a semi-permanent machine address. “The DNS [domain name system] translates human-readable URLs to machine-readable IPs [internet protocols].”
Some platforms depend on collecting data from all over the internet – Twitter, Facebook and other social media websites, and many others. A company called Dyn provides DNS support to many the largest companies that require this type of distribution.
Last October, an attack on Dyn meant that Amazon, BBC, Slack, Zillow – and many other big websites – all went down because a botnet was attacking the DNS system.
“This botnet was made of IOT devices,” explained Sauter, including closed-circuit television cameras, webcams, baby monitors, routers and a few other subcategories of devices.
Those devices combined were able to produce an estimated load of 1.2 terabytes per second – currently the largest DDoS on record.
“The ultimate interpretation of this particular situation is the DDoS is coming from inside the house,” Sauter noted.
“IoT represents a very salient and present threat to the network that those same devices run on.”
What can be done?
Consumer-grade IoT devices are becoming so prolific whenever even just a portion of them were compromised, it may be disastrous, said Sauter.
The protection from botnets as well as other types of hacking isn’t robust enough yet, she added.
And DDOS attacks are not likely to stop. “More devices are going to get smart; we’re going to keep putting more chips on more things,” predicted Sauter.
Is there anything that agents can do that can help protect consumers? “Tell people not to put this shit in their homes,” Sauter advised bluntly. It’s simply not secure, even with a password-protected phone.
Have you ever lost your phone, Sauter asked? Has anyone who didn’t have your best interests at heart been able to access to your phone?
Although it may not seem realistic, Sauter believes that the simplest way for us to serve our clients is actually by cautioning you against the potential risks of making their homes smarter.
“The consumer has no real control over these devices,” she concluded.
With anything too much may not be a good thing. Yes we all love the convenience that technology can provide us. Do you have an issue you are dealing with, or perhaps a solution to a problem? We’d love to hear from you. To provide us with your input, simply click here.