A little more than a year ago, I urged manufacturing companies testing the IoT waters to leave the work of bringing Internet connectivity to their traditionally unconnected products to those who understand what’s at stake. I’m not alone in my concerns that the IoT brigade will bring with it an avalanche of staggeringly insecure products that will find their way into our daily lives.
What we’re seeing right now is a hopefully imperfect storm of security challenges that, with any luck, will not result in global security and privacy breaches. In one corner, we have companies like Dell and Lenovo distributing computers with wide-open root CAs, allowing anyone with a small amount of skill to crib a certificate and spoof SSL websites, run man-in-the-middle attacks, and install malicious software on those Windows systems with nary a whimper from the “protections” in place to prevent such issues.
Dell, in fact, has done this twice over with some of its new laptops, the second of which was brought to light right before Thanksgiving. The upshot is that the company added this certificate to the Trusted Root Store on new laptops and included the private key. Thus, anyone can create certs that will be accepted as legitimate on those laptops. Good show!
In the other corner, we have several government agencies from around the globe arguing that they should have some kind of magical access key to all forms of encryption that will let them decrypt the data, while somehow keeping the “bad guys” out. Hanlon’s Razor states, “Never attribute to malice that which is adequately explained by stupidity.” But here we have broad evidence of both.
The result of both the anti-encryption lobby’s desires and Dell’s and Lenovo’s missteps are the same: They undermine encryption and privacy by granting access to “encrypted” communications to outsiders. Of course, Dell and Lenovo have compromised only their own products, while the anti-encryption faction would see the same scenario play out on every device from every manufacturer.
Then we add the rise of IoT. As jaded as I am after so many years of witnessing inexplicably poor security practices from companies of every size, I hold out little hope that the companies marrying Internet connectivity to their previously unconnected products will fare any better.
The joke about “Why does my refrigerator need Twitter?” neglects to take into consideration that poor security practices could allow script kiddies to control refrigerator functions. A connected and managed sump pump sounds great, but only if it doesn’t get shut down remotely. We are already seeing all kinds of home interior security cameras that claim to offer greater security, but could very easily be used to record every movement of your family. We’ve already seen Microsoft pushing an Xbox One with an always-on HD camera and microphone that couldn’t be disabled, drawing allegations of Microsoft spying on its users or allowing the government to do so.
But it doesn't matter if it’s an Xbox One from Microsoft or another item -- as long as there’s a device capable of recording video and audio present in the room, the possibility exists that it could be used to surreptitiously record everything within its purview, such as the living rooms of millions of people. It doesn’t have to be Microsoft or the government doing the spying, either. With lax security, it could be anyone.
Ultimately, any connected device with closed source code could conceivably be a security threat. That nifty Wi-Fi-enabled doohickey you buy next year could potentially be used to gain access to your home network and connect with a botnet. Your new smart TV is always listening to what’s said in the room and sending that data off to be processed. Or, of course, someone on the other side of the country could take control of your car and drive you off the road.
This isn’t speculation or supposition, and it’s certainly not a conspiracy theory. This is happening now.
You may trust Microsoft and Samsung not to spy on your living room, are confident that Dell and Lenovo will try to make things right, and expect that companies that are adding Internet connectivity to their core products will eventually improve that practice. In that case, you also have to trust they are securing all that connectivity, the data, and the data collection methods so that criminals and other bad actors can’t come along for the ride -- even while governments want to compromise the very encryption that offers any protection at all.