Absolute Internet of Things Security

06 Mar

As the Internet of Things (IoT) grows, so do the reports of vulnerabilities. The Nest thermostat disaster is a smallish example, all the way up to the vehicles we drive, which have shown to be hackable with hideous results. The government is aware of the problem, and is doing what government does best, throwing other people’s money at it. See this link for a Homeland Security IoT initiative.

As an engineer, how would you fix this mess? You know it’s only gonna get worse as the number of “things” expands. Better testing? Code reviews? ISO-whatever? Maybe we should move beyond the agile pair programming model to full committee programming. We’ll need bench-seat office chairs. “Hey! You’re in my bubble!”

I’ll give you some tips on making IoT products more secure and private. I’ve used these methods for years, and they are fully applicable to new IoT devices. In no particular order:

  • Turn it off. An IoT device without power is no threat. That includes removing internal batteries.
  • Don’t buy it. Purchasing dumb appliances without connectivity ensures privacy and locks out hackers.
  • Disable the antenna. Your vehicle has GPS and you are worried about tracking? Find the antenna, likely hidden under the dash with a good view of space through the front window. A piece of aluminum foil taped over the antenna (or entire module) will almost certainly disable it. Same for WiFi antennas.
  • Disable WiFi routers near your IoT appliance.
  • Change WiFi security settings to deny IoT devices access to the network. (But they may still access an idiot neighbor’s open WiFi access point!)

I purchased a non-networked but overdesigned stove several years ago, one with a computerized touch panel. It was temperature sensitive such that when the oven was on the heat washed out the display. Several times the controller was totally disabled by the heat and I had to crawl under the stove to unplug it. Total garbage. I took that one to the recycling center and then purchased a completely dumb stove with physical knobs. It has a timer and clock, but that’s about it, and it will boil water without a single line of code running.

This story is important because the same dork engineers who designed that stove, with heat sensitive electronics, are now designing networked IoT devices forĀ  your home.

I don’t need my refrigerator to send me a text message when it’s time to buy milk, and people who do have personal issues that cannot be solved easily. I don’t need a car with a built in GPS mapping computer because I know where I’m going and how to get there. I don’t need my television to communicate with Sony or Samsung or Toshiba and tell them what I’m watching, as if I watch much television anyway. I don’t need a WiFi enabled thermostat. In fact, because of proper summer and winter design features, my home hardly needs a thermostat at all.

Perhaps we should stop talking about the Internet of Things and start talking about the Idiocy of Things!

IF YOUR COMPANY is designing IoT products, you need to carefully consider the ramifications. It’s highly likely that your engineering staff downloaded all the connectivity code for your latest product from the Internet, where it was crafted by high caliber engineers in bunny slippers, living in mommy’s basement. Do you really want your family’s financial future depending on that code? Why do you think IoT devices are having all these problems?

The solution is to test that code mercilessly, and fix the exposed vulnerabilities. Yes, it’s going to cost a lot of money, but it’s either that or hiring a big name PR firm to manage the ensuing disaster! Please do the right thing. “Open source IoT software” is not a text fragment you want to find on your tombstone.

No comments yet.

Leave a Reply