A discussion of Internet of Things (IoT) security often sounds abstract and futuristic (exception). It sometimes makes it sound as if the risks of IoT are all theoretical and abstract. Let’s bring this to life … NOW!
Except for computers, phones and a tablet, here is what I have asking for IP addresses in my home today:
|TV||Netflix, YouTube||Spying on content watched /LOW/|
|BlueRay player||Netflix, YouTube||Spying on content watched /LOW/|
|Security camera set||Motion alerts via email (remote viewing only inside firewall)||Disabled by burglars, spying on deliveries, home presence, etc /LOW-MED/|
|Thermostat||Programming, status reporting, remote on/off||Equipment malfunction, spying on home presence /MEDIUM/|
|Garage door||Status reporting, remote open/close||Burglars opening the door, spying on home presence, equipment malfunction /LOW/|
|Printer||Not used presently, LAN only||Spying on content printed /LOW/|
From the table above, you can see that I consider most risks of what I currently have from the IoT domain to be LOW, except for the thermostat. This exciting Twitter thread explains why (Nest + “Stuxnet” = Hilarity Ensues!)
What I may consider in the future:
- Kitchen equipment (not physically able to cause a fire)
- Car unlock (insurance takes care of most of these risks)
- Other home automation (lighting, sensors, more cameras, etc)
Will never, ever, ever consider (at least not until IT/OT security state of practices changes dramatically in a now-unthinkable way):
- Main house door lock/unlock
- Anything that can cause a fire (at least, not without hardware – rather than firmware – safeguards)
- Anything that can cause a flood (at least, not without hardware – rather than firmware – safeguards)
What do we learn from this?
- Operational Technology (OT) security and IoT security would be a fun topic in the coming years if not decades. You think IT security is fun now? Just you wait…
- Except for maybe the “iDevice maker”, vendors who focus on and excel in hardware royally suck at software (if they can barely write a UI, do you think they can write secure TCP/IP drivers?).
- Stakes are mostly low today (!), and the risk in IoT is low because the value is low and the threat is low (while vulnerabilities are high!). Said value will skyrocket and so will the threat. Will vulnerabilities subside? Have they elsewhere?
Add 1.-3. up…. see that explosion on the picture? BOOM!!!