When it comes to the ever-encroaching reality of a world dominated by the Internet of Things, security breaches “will get worse, potentially a lot worse, before it gets better,” says Ted Harrington, partner at Independent Security Evaluators and organizer of the annual DEFCON hacker conference.
Harrington knows what he’s talking about. His company revolves around cybersecurity and is organizing the first-ever “IoT Village” at DEFCON, the annual hacking conference that goes down August 4-7 in Las Vegas. It’s where hackers are encouraged to finagle their way into IoT devices and find security soft spots. And if history is any indication, Harrington tells Inverse that security around IoT devices will become even more porous before the technology finally tightens up.
New technology follows three predictable steps, Harrington says. First, someone innovates. Second, developers flood the marketplace with similar products without considering security implications. Third, the security community convinces the industry to tighten up security.
“We are at the very, very, very front edge of that second phase,” Harrington says. “We have a long way to go before we get to the third phase.”
And it’s the very connectivity that draws people to IoT that is putting people at risk.
Communities of black-hat hackers (the ones looking to harm the people they hack) aren’t new, and no one is safe. While hacks on companies like Sony and people like Donald Trump get all the attention, it’s the hacks on your personal devices that you should be worried about.
That’s because security just isn’t something that the companies developing your smart TVs, smart thermostats, and smart doorknobs are worried about.
“Your trust model on IoT is broken,” Harrington said. “Meaning connected devices inherently trust each other, when in fact they should inherently distrust each other.”
This leads to holes in products that should be protecting both your privacy and your security. Essentially, privacy relates to a user deciding how information their devices collect about them is used by people and other companies, whereas security relates to how effective a device is at only allowing the owner access. Privacy is usually lost the minute people start using a device through the End User License Agreement and registration. Security, however, is lost because developers are making users easy targets for hackers.
For example: A hacker could remotely compromise an Amazon Echo. That Echo is connected to the TV and the speakers, but also to a storage of family pictures and an electronically filed tax return. Now, that hacker who only broke into the Echo, has everything they need to perform identity theft. Those devices that inherently trusted each other and shared all of the person’s information and passwords actually betrayed the owner.
This might sound like a slippery-slope argument to make you fear the future and anything new, but it’s a scenario that could far too easily become reality, Harrington says.
He adds that not all smart devices are entirely protected.
“A way to think about that is consumers should assume that by deploying this device, some bad guy has the ability to compromise it,” he says.
So think twice: how badly do you want the latest device?
“Don’t get lost in the hype with how exciting IoT is,” Harrington said, “without balancing it with the risk that comes along with IoT.”