Internet of Things – just because we can, doesn’t mean we should

 

At the dentist office today was the most ridiculous thing to join the Internet of Things – a Bluetooth-enabled POWER TOOTHBRUSH.  What on earth is the value of connecting your toothbrush to the internet? For that matter, why enable your TOASTER to be online?  Your washer, your dryer?  Do you really need your fridge to tell you when you need eggs, milk or beer?

Just because we CAN put connectivity into all kinds of devices, SHOULD we?  If there were no cost to having all of these devices happily chatting online and sharing their IP addresses, then why not? But there is a cost to this incredible interconnectedness – nearly all of these devices were built without security in mind.  Because of this, they are ripe little plums to be enslaved by bot herders who will gather them to participate in massive denial of service attacks.  Approximately a year ago, the world first saw the power and peril of the IoT when a herd of enslaved CCTV’s brought down some of the internet’s leading websites through attacking managed DNS provider Dyn, as well as security researcher Bryan Krebs and French ISP OVH (See “The Incredibly Insecure Internet of Things“).  Those attacks underscored the danger of linking everything and began the pointing of fingers to resolve the problem.

The problem has not yet been resolved, although IoT security companies are sprouting up overnight. Device manufacturers may be adding some forms of security in the future, but are all of them?  What about the devices that are already deployed?  Relying on end users to change device passwords is a ridiculous strategy.  IoT devices can be prevented from joining bot herds through the DNS, which right now is the only easy strategy to address the secure-less devices.

Perhaps we should start thinking about the true need when enabling a device – devise a litmus test of sorts to determine whether connection really brings value beyond the belief that users need to have everything connected.

Toothbrushes and toasters would fail such a test – there is no good reason for either to be connected.  Washers, dryers and refrigerators also would fail – the only reason to enable the first two is because advertisers want to serve ads; and refusing to note what is in your fridge is actually doing your brain a disservice.   Cameras, medical devices, security systems, routers – yes.  Thermostats? Not so much. Garage doors?  Hmm, the chance of opening it yourself remotely just became a real issue – one you wouldn’t face (outside of within a block) without Internet of Things enablement.

In lieu of any official litmus test, it is up to the end user to put the brakes on buying connected devices, because many of them actually make you less secure.  After all, Amazon Echo and Google Home don’t stop listening to you just because you didn’t say their name, and did you know that hackers can access the webcam on your computer as long as the computer is turned on?