Sometimes I think my appliances are conspiring against me. You know, when the dishwasher stops cleaning dishes on the same morning as the garbage disposal clogs up and the coffeemaker overflows. It’s like they have a secret planning session to overthrow my life. (Shades of the 1987 classic animated movie “The Brave Little Toaster.”)
OK, such a conspiracy theory is a little wacko, even for me. But in fact, as our homes, offices, cities and cars are filling up with the Internet of Things (intelligent devices connected on the internet), a conspiracy is actually possible.
Intelligent devices require intelligent solutions.
I was just talking with a company that engineers Internet of Things (IoT) devices for hospitals that record when medications are given and update patient records automatically over the network.
On the home front, you can adjust your home’s temperature and monitor home security cameras remotely over the internet. You can even set up your home lights to turn on and off, and change brightness and color through a browser.
But what happens if the software in one of these devices contains a security hole? Can you imagine someone exploiting a flaw in your IoT device and siphoning off your passwords and credit card numbers? How about cranking up the temperature in your house while you are out? Or even more horrible, your hospital devices being coerced into launching a denial of service attack on hospital records.
This is really not so far-fetched as it sounds. It’s well known that the famous Stuxnet virus, which disabled most of the PCs on the internet in 2010, started out life as such an exploit. It was a bit of malware designed to destroy the centrifuges being used to refine uranium for bomb-making in Iran. How it managed to get out into the internet is another story.
With the potential of billions of network-connected smart devices coming online in the next few years, what can be done about this?
The best defense
The best defense by far is to update the software on the device once the security flaw is discovered. You need to be able to send a firmware update to the device which fixes the flaw. And of course, you need to be sure the firmware update is actually authenticated and not from a Bad Guy. Yocto Project* v2.1, releasing this month, will include such a feature called “swupd”. Cool!
I think the bigger concern is companies who sell devices and never update them. For example, at home I have a stereo receiver that’s connected to the internet and used to get these firmware updates periodically. One day the updates just stopped coming—probably because the company can’t afford to validate firmware updates if the device is no longer being actively sold.
I guess you could always just brick the device remotely. Such a thing happened famously with the Revolv home automation device recently. You could also just build in some kind of magic poison pill which could be remotely activated.
This will be an ongoing subject of discussion and innovation. I just heard about one other idea this week which sounds hopeful: A system which will notify engineers when a new security flaw has popped up in one of their Linux systems. This would at least enable proactive patching, which is a good start.
After all, I really don’t want my toaster to orchestrate some midnight coup d’etat in my kitchen!