Wednesday, 16 July 2014

IoT Security (or lack of it) - why you should worry

The Internet of Things (IoT) is cool, and business has realised it's going to be big. But is it going to be secure enough?

I'm normally a pretty laissez-faire sort of chap, but I am very concerned about the current attitude towards security on the Internet of Things.

I posted recently on The Analogies project, and I'll be talking about this at an IoT meeting later this year. But this is a problem right now.

Here's one example.

I was recently approached by someone from an open-source IoT project to see if I'd like to get involved.

I had a look on their website, and what they were doing looked great. Except...

There was no mention of security.

I asked, and got the reply that this was not a concern, as they assumed that the home network was secure.

Don't assume the home network is secure

Sadly many home networks are easily hackable. The recent excitement over OpenSSL means that most hobbyist web-servers using https have been vulnerable for ages (and they probably still are). Worse still, many routers sit at home with default security settings (including default passwords), allowing anyone with a little technical knowledge the chance to invade the home network at their leisure.

Why worry?

Does that matter? Of course it does.

If you're a burglar with access to someone's energy consumption patterns it's really easy to detect when the house is unoccupied.

And lots of other things get connected to the web. If you have outdoor webcams, do you have a kidnappable pet? The kidnappers would love to know when the pets are out and you aren't in. (Let's not even mention the risks to children).

We don't worry enough about all of this because most of us haven't heard horror stories about the IoT yet. But when we do, will it be too late?

What's your take? I'd love to read your comments.