Voir en

Comp. Security: The Internet of Things: the walls have ears

IoT devices cannot be expected to be secure

8 August, 2017

Having “intelligent” devices at home is nothing really new. Aren't our washing machines, robot vacuum cleaners, coffee machines, etc. all sufficiently smart to serve our needs? Apparently not, as the consumer electronics market is now going full steam towards the “Internet-of-Things” (IoT): home appliances that are fully interconnected and, by using central cloud service computing power, able to help you improve your life. Seriously?

To give you a few examples of what I mean: the thermostats developed by Google build up a complete home automation system to manage the temperature of every room. They learn your daily room usage so that you don't even have to adjust the temperature settings anymore. Some “smart” thermometers easily surpass standard healthcare thermometers, as do smart toasters: control them via a smartphone app, share your settings with friends, upload information to Facebook, etc. The new generation of voice-controlled intelligent personal assistants come with a webcam that allows you to rate your outfit. For the best hairstyle ever, a smart hairbrush can optimise your look, taking weather reports, i.e. humidity and temperature, into account!

So what could go wrong? With the advent of the IoT at home, “privacy” is at stake:

Some Smart TVs are able to use voice recognition to listen to what is happening in your living room;
The manufacturer of the most famous doll in the world had a similar idea with its latest doll, but this was badly received by privacy advocates;
Once, a smart voice-controlled smart assistant even created some unwanted online orders when a TV news anchor said “Alexa, buy me a doll house”. The voice-activated assistant Alexa simply complied… Data registered by a smart assistant have even been subject to a legal case where “Alexa” might have been a witness to a murder and recorded everything that happened. Similarly, do not commit a crime if you happen to be wearing a fitness wristband – it might be used against you;

…and this list is not exhaustive.

In addition, from the "security" perspective, readers of the CERN Bulletin might recall "IoTs: The Treasure Trove at CERN", outlining a few security risks related to such devices that are part of the Internet-of-Things, and there are many more examples. In October 2016, the Mirai botnet affected close to a million customers of Deutsche Telekom by misusing poorly secured IoT devices. However, it will be much more difficult to keep all those devices up-to-date, so broader protection, like your wireless access router at home, or CERN's outer perimeter firewall, once again become the last and only line of defence… So, we have interesting times ahead. How much "security" and "privacy" are we prepared to trade for more convenience?

It is up to you to make a conscious choice as to how much "privacy" you want to hand over to companies. Check whether you can control which aspects of your personal data you want to expose. When it comes to "security", don't expect too much. As shown by our treasure trove tests, but also by many other reports like those from the last "BlackHat" conference, IoT devices cannot be expected to be secure. The important thing is that, as much as at CERN, your personal firewall at home (usually part of your wireless access point and router) is fully locked down so that no incoming traffic can try to exploit your devices.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.

Computer Security