Why privacy and security must be built into the Internet of Things

If the experts are right, your home today is like a computer in the early 1990s. Sure, you connect it to the internet, but it takes initiative and a willingness to embrace new technologies before your neighbor. But in the next five years, that should change radically. If the adoption curve for the Internet of […]

If the experts are right, your home today is like a computer in the early 1990s. Sure, you connect it to the internet, but it takes initiative and a willingness to embrace new technologies before your neighbor. But in the next five years, that should change radically.

If the adoption curve for the Internet of Things (IoT), resembles what we’ve seen with internet-connected PCs and mobile devices, the homes and offices without multiple non-PC internet connected devices will be the exception by the end of the next decade. The cost saving potential for businesses, local governments and individuals will likely verge on being irresistible. And so will the potential to free us up to pursue lives most enjoyable activities by skipping the mundane.

Why shouldn’t our refrigerator make our grocery list, for instance?

But to ensure that this new so-called “Internet of Everything” frees us rather than binds us, we must start thinking about privacy and security now.

“You’re not secure if you can’t control the destiny of your private information,” writes Cory Doctorow. “A system is not secure if it doesn’t give you the freedom to do what you need to do.”

The author and privacy activist warns that so-called “backdoors” build for ostensibly legitimate purposes like law enforcement present to attractive of a lure to be used illegitimately, given the unprecedented access that devices will have to our lives. This will require us to assume that every manufacturer, law enforcement official, customer service agent etc. maintain impeccably honest — even though we already know that some of those who have to power to abuse such access will.

Doctorow points to “kill switch laws” in California and Minneapolis that require manufacturers to enable over-the-air updates that render the phone useless that deter cell phone thieves as an example of a technology that is easily exploitable. Phones are getting cheaper and cheaper, as the worth of the data they hold becomes more and more invaluable as our entire life and finances becomes entangled with the devices in our pockets.

“We don’t know how to make back doors that only good guys can go through,” he writes.

We have the time and opportunity to insist that these devices are designed with our digital freedom in mind. Even though there are cases of criminals already exploiting smart devices as part of zombie botnets, the technology is nowhere near pervasive yet to present an target for criminals or government surveillance agencies anywhere as attractive as PCs or mobile devices.

At F-Secure, we’re exploring security for the IoT. The threats we are seeing may be targeting Embedded Linux devices sooner than later. But we don’t anticipate substantial Smart Home threats to materialize until 2017.

“Imagine a user-centric, data-centric, freedom-centric version of this security measure: all devices would have to be sold with encrypted filesystems by default, so that users whose phones are lost or stolen can be sure that their data is intact, that their bank accounts won’t be raided, that the correspondence with their lawyers and doctors and lovers won’t be read, that their search history and photos won’t be exposed,” Doctrow proposes. He then counters with the some of the flaws in such a system because “Good security measures anticipate countermeasures.”

These are the kinds of debates we should be having now, while our imagination is still shaping the future. Or else, the risk, is “an Internet of Things That Boss You Around.”

[Image by Ben Tesch | Flickr]

Share this post:

More from this category

Latest Media