When it comes to personal security, the best tactics are often the simplest: Two-step verification and regular software updates go a long way. But getting people to actually take those steps is a bit more complicated.
Software developer Steve Castle might have an answer. This spring, Castle entered a little-known government competition to help consumers secure their wifi-connected devices — doggie cameras, printers, toasters that check your email. His plan was simple and brilliant: make an app that manages all of a user’s internet-connected devices to check for security vulnerabilities and out-of-date software at once. The judges of the Federal Trade Commission (FTC)’s “Internet of Things Home Inspector Challenge,” thought so too, and awarded Castle the $25,000 first prize. Now, all he needs to do is actually get people to use the app.
The Internet of Insecure Things
The so-called “internet of things” is notoriously insecure. We’re increasingly buying devices that connect to the internet — not just laptops or smart phones, but everything from doorknobs to vibrators — without thinking about how those appliances need to be secured, too. Without proper password protection, all those connected devices are easy prey for hackers, who can hijack their functions or use them to set up massive botnets for distributed denial of service attack on other websites. A massive DDoS attack, fueled by a IoT botnet, took down dozens of major websites for hours in October, and experts warn that the trend of flimsy security on connected devices will continue to erode personal data privacy, and cause a host of other problems in the future.
Finding a fix
It’s difficult for Castle to choose a single security issue that worries him most.
“I’ll have to say the connection of devices that shouldn’t have been connected in the first place,” he tells Inverse.
While DDoS attacks and botnets are intangible to the average user, Castle says it’s easy to imagine a scenario where the Internet of Things causes real-world damage. He described a situation where a hacker breaks into the system on a smart fridge.
The hacker could monitor the fridge and might be able to actually detect when the owner was home (“think of the light that comes on when you open and close the freezer door, something done likely several times a day,” Castle says). With that data, they could build a profile of when you’re likely to be out of the house and sell it to a local thief or malicious actor, who then would know the perfect time to break in.
Clearly, that’s a scenario to avoid. The problem, as Castle has observed, is consumer apathy. When he asks friends and family how often they update devices, and how easy it was to complete, he says “most of the time I’ll get a blank stare,” or the remarks “‘I thought that happened automatically’” or “‘It’ll be fine, why would someone target me?’”
Part of the problem is that fixing certain vulnerabilities can be pretty technical. “Imagine an app that told someone with limited technical experience to log into their wifi router administration panel, open the LAN settings, and input assigned local IP addresses into the app,” he tells Inverse. “What’s the probability of that actually getting done?”
Instead, he says the best way to fight laziness and technical ignorance is to make it so easy for people to update their devices that their excuses disappear.
That’s exactly what Castle’s award-winning app, “IoT Watchdog,” is designed to do. Here’s how the FTC describes it:
The mobile app he proposed seeks to help users manage the IoT devices in their home. It would enable users with limited technical expertise to scan their home wifi and bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device’s software and fix other vulnerabilities.
Castle adds that his app “solves almost all of the technically challenging issues through automation, run in the background.”
Castle’s app would rely on information from vendors and other sources that report vulnerabilities, so it wouldn’t work for home-made smart devices. Chances are, though, if someone’s making their own IoT devices, they probably know how to secure them. Still, Castle tells Inverse that the app would be able survey a user’s home network and note possible insecurities within it (just not within the homemade devices themselves).
Castle won $25,000 in the FTC competition, but not the guarantee that his app would actually get made. He’s not yet sure whether he wants to develop it for real: “Feedback has been great,” he says, “but the market demand for the app is still being analyzed.” In the end, it looks like the question comes down to money — people are too lazy to secure their devices, but are they willing to pay for an app to essentially do it for them? Regardless of whether Iot Watchdog ever hits the market, Castle’s on to something. The devastating attacks last October are unlikely to be the last, and if a possible solution is so intuitive and important, how come it doesn’t already exist?