The subject of the security risks inherent in the internet of things came up over breakfast a few weeks back. Other families talk about sport or politics; we chat about risks and countermeasures because we’re a family of nerds.
I explained to my eldest how Network Address Translation works. We have a broadband router that connects to our neighbourhood’s cable television network. The broadband router has a legitimate IP address and can be found by anyone on Earth. Behind that, we have our hardware firewall that presents only one host ID to the internet. Our firewall NATs everything behind it, giving each IP-addressable device its own unique network address. In order to make my point, I had my eldest log into our broadband router and review its NAT table.
He was surprised to see how many reservations there were, so we tracked every address back to a specific device. He identified his laptop, the PlayStation, his iPhone, the printer, and so on. Finally, we came to an entry that he couldn’t place at all… It took him nearly half an hour and a bunch of clues to associate the mystery address with our programmable thermostat. Here in Texas, we participate in a programme where our private electricity company is allowed to turn off our aircon during peak demand for ten minutes every hour. In exchange, we get a much lower rate for electricity all year round.
It’s a great idea… and it’s also a potential security threat because we have zero control over the security settings on our networked thermostat. Everything else in the house is managed according to cyber-defence best practices: all computers are actively managed for patches, have top-rated anti-virus applications installed, have software firewalls configured, and so on. The firewall’s firmware is updated immediately when patches become available, and its logs are emailed to me for review. Every device gets backed up regularly to up to two different sources. We pay attention to industry advisories about new vulnerabilities and ensure that we implement best-practice countermeasures immediately if we have a vulnerable piece of kit in the house.
Despite our best effort, though, there are factors that we just can’t control. I showed my son where one of his friends visited the house and was allowed to connect to the family Wi-Fi network. We can’t be sure whether Bob was dutifully patching his phone like he should unless we demand to inspect it. That is, at least, an option (although not a polite one). Our thermostat, though, lives in our house inside our defensive perimeter all day every day, and remains a “black box” to us. We can’t inspect it. We can’t patch it. Our thermostat is controlled by our electric company’s servers, and we can’t inspect or control them, either.
This is the inescapable security problem posed by the internet of things: every device inside your home perimeter is a potentially invisible (and often unmitigatable) security risk. Your smart TV and programmable toaster are running minimalist operating systems. They connect to the internet, and can speak to all of their neighbours on the home network. Any device may, at any moment, have unrealised technical vulnerabilities … and you don’t know about them.
Any innocuous consumer appliance can become a pivot point for an external attacker. A baddie can compromise your networked clothes dryer, and then use it to attack all of your other devices from inside your house. I predict that consumers will need to learn how to engineer their home networks to include a business-grade demilitarized zone between two different firewalls, just to protect themselves from their own smart appliances.