Hackers Love the Internet of Things Because Security Doesn't Sell Toasters
A security professional on the weird economics of software vulnerability and why smart doorknobs should make us nervous.
The phrase “Data Breach” didn’t arrive in the common parlance, which is to say “a substantial number of monthly Google searches,” until November of 2013, when 110 million customer payment cards were exposed by a Target data breach. Now, we understand not only that our information is vulnerable, but that it’s vulnerable from all sides. What was true for Target is now true for Barbie Dolls, toilets, MRI machines, and the Emergency Broadcast System: These things can be hacked. This is why the media has fallen in love with stories about how new products might be hackable or easily compromised. These stories are as commonly prescient as they are invariably confusing. After all, it’s hard to parse what “vulnerable” really means in the age of the breach.
Let’s try because there are a lot more coming.
The digital highways that connect the world now connect to scenic byways that go everywhere. We stand to see a 30-fold increase in the number of devices connected to the internet over the next five years — that’s 26 billion devices online. It’s not just about smartphones and computers anymore, but about smart doorknobs, thermostats, light bulbs, and more. While there’s not necessarily any valuable digital data to be stolen from an internet-connected doorknob, there is plenty of stuff to be stolen from your home if someone learns to turn it. Some times that process is uncomfortably easy for experts.
Dan Guido, CEO of cybersecurity research and development firm Trail of Bits, suggests that this is because of a systemic problem in contemporary tech. Consider your computer or smartphone’s operating system. There are new patches and updates released all the time for Windows, OS X, iOS, and the like. Each one of these updates serves to fix assorted bugs, however invisible they might be to the consumer, and each one these is an opportunity for exploit.
“You never get to the end,” said Guido. “They keep patching and fixing things, but there’s nearly a limitless supply of vulnerabilities for people to find.” The fundamental problem, he says, is that people aren’t constructing software to be secure from the get-go; there is too much emphasis on creating products that are quick and reliable — security remains an afterthought.
It turns out that the closest thing consumers have to a digital security watchdog is the FTC, which has stepped up in recent years to hold companies accountable for their security claims. If a company makes assertions about the security of its products that don’t hold up, it faces fines. This may be intimidating to some smaller firms, but history tells us that consumers have a short memory on security issues so the market tends to spare the lash. Businesses spend time and money on speed and convenience because that’s ultimately what consumers want. Security seems to mostly matter when it fails. This approach might be best summed up as “no harm, no foul.”
This is a problem because it makes embracing innovation a dangerous proposition.
Guido says that many Internet of Things devices are so easy to hack that his company’s interns frequently repurpose them for their own projects. “If you want to break into an iPhone or into Internet Explorer, it takes months of effort. If you want to break into the latest Wi-Fi-enabled scale, it takes one week with no prior experience.” Breaching modern IoT devices is so unremarkable in the world of network security that it’s been termed “junk hacking.”
“Security advancement is not really happening.” Guido explains, suggesting it’s a problem of education. “Providing better tools and incentives for security in computer science education could make a difference. There should be security standards for code that students turn in, but right now it’s hard for a teacher to assess security.”
The takeaway from Guido’s critique: Everything is vulnerable, but specific species of devices are more susceptible to successful incursion. Anything new and hyped or highly iterative is likely to be particularly vulnerable, as are bootstrapped products and any tech product that derives value by leveraging a non-tech brand. Should this be cause for concern or standoffishness among consumers? That depends. If your hackable doorknob presents a legitimate safety concern, your hackable toaster represents a potential but unlikely inconvenience. And there may be value to that inconvenience. After all, a super hackable toaster is hackable to its owner as well, which allows for a fun new type of kitchen customization.
Stories about vulnerability are going to proliferate. The important thing to remember when the headlines start screaming is that not all hacks are created equal and that there are no such things as absolute security — only better bets.