Are you looking forward to having all of your appliances conveniently synced to your smartphone or tablet? Of course you are, but you’re not alone. Lurking behind your Web-connected toaster sits a network of people with the power to track your crispy bagel all the way back to your credit card number with a few strokes of a keyboard. They’re called hackers, and they’re probably even more excited about the Internet of Things than you are.
When most people hear about a hacker threat, they immediately check their bank accounts, but money isn’t always the motivation behind these covert criminals. Just ask the Schrecks, an Ohio couple whose peaceful evening was disrupted by the sound of a strange man’s voice coming from their 10-month-old daughter’s nursery. Fearing someone climbed through their window, Adam Schreck burst through the door to find their baby monitor was now under the control of some sadistic nutbag who was shouting obscenities at their little darling. And then, as if possessed by the same demon as the little girl from The Exorcist, the camera turned around, stared the dad dead in the eyes and redirected the vitriol towards him.
Fortunately for the couple, their finances went untouched, but the story doesn’t have an entirely happy ending. Aside from the cash they’ll have to drop on psychiatric counseling as their little angel ages, there’s a chance the hacker left some bread crumbs leading back to more pertinent information. According to Infinity Partners solutions expert Dave Hatter, “Sophisticated hackers know they can use this as a launching-off point to get into your network and potentially steal your ID or launch malicious attacks.”
For the Schrecks, it was a nanny cam, but hackers aren’t limited to audio-visual equipment. If an object or appliance is connected to your router, hackers can follow that rabbit hole straight to your social security number. With IDC predicting their will be approximately 212 billion “things” connected to the Web by 2020, that’s a lot paths to identity theft.
Consumers would like to believe security is the first thing a company takes into account before launching a new product, but they are sorely mistaken. “We’re still connecting things first and securing them after,” says Symantec security strategist, Sian John. “This is because we live in a consumerised world where there’s a need for businesses to release devices at a competitive price point. In general this means they primarily invest in things like fashion and marketing, leaving little room for security.”
Sian’s hypothesis would be less troublesome if it weren’t for the fact that our new devices are collecting personal information at an unprecedented rate. From wearables monitoring our health stats to door locks keeping track of our comings and goings, it won’t be too hard for hackers to decipher when we will be at our most vulnerable. “If you look at Google or social sites, their motivation is to get behavioral information about someone to do analytics. They expand this with mobile devices and wearable technology. While this data may not be of direct interest to criminals, it can have a cumulative effect. The more information criminals have, the easier it is for them to target you,” cautions Sian.
“The reality is whatever technology step you take there will always be a hack for it,” says Sian. As pessimistic as that may sound to consumers, it means great job security for Sian and other individuals who make a living trying to protect our devices. Last April, McAfee publically outlined what a comprehensive IoT security strategy should contain:
And wouldn’t you know it, McAfee just so happens to offer a variety of software and services that allow companies to focus on their products instead of security protocols. “Security needs to be built in as the foundation of the Internet of Things,” said Michael Fey, worldwide chief technology officer for Intel Security. “Any disruption to these IP connected devices can cause damage to the business and our daily lives. We need to have foresight into what is coming so we can prevent against threats and securely manage these devices. McAfee is enabling the future and the possibilities that the Internet of Things brings to our daily lives.”
Major companies like McAfee aren’t the only ones who stand to profit from data protection. Even independent developers can earn up to $75,000 by entering the Cisco Internet of Things Security Grand Challenge. The contest is open to anyone with an interest in securing the IoT, and submissions will be judged on the following criteria:
If this is the first you’re hearing of the Cisco security contest, you better get to brainstorming. The submissions deadline is June 17th, “[beginning] with an open call for concise, nonconfidential proposals that demonstrate a potential to advance the state of the art [of IoT security],” according to the Process section of the website.
During a recent presentation at this year’s Austin CocoaConf, iOS Architect Conrad Stoll gave some helpful advice on “Demystifying Security Best Practices” for app developers and engineers. For starters, you need to understand the type of information your app is going to be handling. Banking apps will obviously need much tighter security than a game like Flappy Bird. “Security is all about making tradeoffs,” explains Stoll. “Every app we build has an appropriate balance between security and usability.”
Stoll’s slideshare goes on to explain 14 best practices for securing your app, and while many of them are over the average consumers head, he does mention some universal themes we can all appreciate. One tip that’s especially relevant to the next wave of smartphones is hiding a user’s personal information while the app is in background mode. Most users forget their app is even running once it’s hidden behind the home screen, giving hackers the perfect opportunity to take advantage of their negligence.
He also encourages developers to be polite when asking users permission for their location or other information required to run an app. Stoll insists that you should never ask for permission on app launch or login, you should always ask in response to user action, you should only ask for what you clearly need and you have to explain why you need permission. To put it simply, “Be a good house guest.” There’s a slew of other helpful hits and tips all throughout Stoll’s presentation, but he ends it with the most important and easy to understand tidbit of them all:
Whether you’re a developer, entrepreneur or a tech-hungry consumer, security is the key to safely navigating the Internet of Things. Stay vigilant, stay informed and most importantly, stay away from people who think it’s fun to emotionally scar infants.
Stay up to date with the latest in IoT security by following us on Twitter.