Shodan: maybe this will get people to take IoT privacy/security seriously!

Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.

Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE

Shodan

DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!

As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?

Here’s what Shodan can do, according to CNN:

“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”

Command and control systems for nuclear power plants? Sheesh!

Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’

All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’

Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”

Sufficiently alarmed yet?

Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.

Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):

“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use  ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!

The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.

If you are involved in the IoT in any way, you simply can’t duck this issue!

 

Essential Truth: Gathering “Ground Truth” through IoT

This is the second in my occasional series of “Essential Truths” — key principles and questions about the Internet of Things.

On Tuesday, when I speak to our next Boston/New England IoT Meetup on the issue of “human communications and the IoT” one of the concepts I’ll be focusing on is what Chris Rezendes of INEX Advisors calls “ground truth,” a concept he was exposed to through his work with clients in the defense industry.

This is the idea that when devices become “smart,” they give off “digital exhaust” (in the same way as our searches do, which Google analyzes, allowing improvement in search results) which creates “device intelligence” that we can analyze and act upon. That is ground truth: accurate data about real-world conditions that we can share in real-time to improve operating performance and analysis.

According to Chris,

“You will have data, objective facts, about that tree or tidal pool, that machine or that vehicle, that room or that field, that patient or that criminal. The data in that ground truth will complement certain aspects of our perceptions about those things; and displace our misperceptions. And that ground truth will help us all make better decisions about how to manage our time on earth.”
— “Internet of Things: Grandest Opportunity, Most Stubborn Challenges

It seems to me that this is one of the IoT’s most important potential benefits: improving decision-making by being able to base it on factual, timely information.

Think, for example, about the contentious issue of global warming. Cisco’s  “Planetary Skin,” and HP’s  “central nervous system for the planet” projects will deploy unprecedented numbers of remote sensors planet-wide, yielding real-time data about how global warming is affecting your community. It may not win over the hard-core global warming deniers (they’ll never listen to reason, IMHO!) but it should provide the objective evidence that rational people can agree on as the basis for action.

Even better, we can also improve this decision making because of my first “Essential Truth,” learning to ask “who else can use this data?”  Think of it: within limits, of course, the more perspectives that are brought into decision making the more likely we are to make sound decisions, because the likelihood of leaving out some important perspective and not analyzing all the possible ramifications is reduced. In the past, we could never do that, because we didn’t have the real-time data, and we couldn’t involve all of those people on a real-time basis.

I suspect that this will be a major issue for management theorists to bat around in coming years, and that our decision-making processes will be fundamentally altered for the better. IMHO, it is this change in decision making, not advances such as automatic regulation of assembly lines or building in feedback loops between manufacturers and customers, is perhaps the most important thing that the IoT will allow. It will have profound impact!

Thanks for the concept, Chris!

Hallelujah! The Internet of People launches

Most readers of this blog probably already know Rob van Kranenburg, arguably THE leading European Internet of Things theorist. What you may not  know is that, for the past year, he and a core group of IoT leaders have been planning creation of a UK-based global IoT consultancy, “The Internet of People.”

Unfortunately, one of the victims of that effort was a planned collaborationinternet_of_people_small
between Rob and me on an article about the IoT for the Harvard Business Review, but now I’ve got Dave Evans of Cisco as a writing partner, so I ain’t complainin’!

At any rate, there’s glorious news today: The Internet of People has officially launched, and there are more than 100 of us consultants who are already in the fold!

This is going to be an all-star team, so if you’re in need of IoT strategy and other consulting services, I hope you’ll contact us!

Cormoran Project: Ad hoc human networks and the IoT

Posted on 11th June 2013 in Homeland Security, Internet of Things, privacy, security

I first became interested in mesh networks when I was focusing on the role of individuals in homeland security — what I call “networked homeland security.”  I learned about a project at the University of Illinois that created software to form ad hoc mesh networks that could relay data between PCs, and quickly realized this could be invaluable in disasters to relay information (see my YouTube video on the subject, part of my “21st-century disaster tips you WON’T hear from officials series…).

That’s why I was particularly excited to hear about this possible component of the Internet of Things: individuals becoming nodes in mesh networks because of sensors woven into our clothing.  Gigaom reports that a team of French researchers have launched the “Cormoran Project,” to create “wireless body-area networks (WBANs).”

They would capitalize on the growing number of wearable computers, from the Peeko “onesie” to Google Glass. However, the researchers visualize these devices as being more than just data sources for real-time health monitoring (as important as that is!): “Rather than just remain terminuses, they could route bits to and relay data from each other, becoming a distributed ad hoc network that constantly morphs as we move through physical space.”

Instead of requiring a dedicated link to the web, such a network would share

Cormoran Project

 (BTW, collaboration will be one of my future “Essential Truth” subjects)  connections and relay data from everyone who, at that moment in time, is a member of the ad hoc network because of their location.

Here’s the neat (and, equally scary!) aspect of these ad hoc human networks:

“… by linking to one another, body area networks could create new useful data about users’ surroundings and location. By measuring the signal strength of nearby connections, the network could determine the precise location of every node, or person, within it.”

The article points out that this could lead to services such as sharing information in disasters, guiding all passengers en masse to their gates, managing pedestrian traffic in cities, or studying group behavior.

Equally important, if individuals weren’t able to control access to their personal location data, it could lead to horrific invasions of personal privacy, made even more scary by the fact that hackers would be able to tell the individual’s precise location. Although I have been unable to find anything in the Cormoran literature specifically identifying privacy protections as part of the project, the EU seems to take privacy concerns about the IoT much more seriously than the U.S. government does, so let’s hope they come up with practical, enforceable protections — otherwise the downside would seem to outweigh the advantages.

 

 

 

 

comments: 1 »

Time-critical crowdsourcing during crises

Posted on 22nd May 2013 in Homeland Security, Internet of Things

Even though I’m concentrating on the Internet of Things these days, I try to keep a hand in one of my enduring passions: using a combination of social media and mobile devices during disasters/terrorist attacks — what I call “networked homeland security.” After all, as John Arquilla has argued, we are in an era of netwars in which the enemy isn’t organized hierarchically but is networked (and, by extension natural disasters are similar: they are chaotic, opportunistic, and anything but orderly), so it takes a flexible, networked response to deal with them effectively (and, to tie in my work with the IoT, I expect that the IoT will radically increase our ability to share data and collaborate!).

Sooo, I was terribly excited to read this blog post by the brilliant Patrick Meier on how “time-critical crowdsourcing” could be used to verify critical information in near real-time during a disaster (or debunk it, in the case of erroneous information). The Patriots’ Day bombings in the Hub of the Universe underscored both the value of social media and its pitfalls, as in the case of erroneous identification of the bombers on Reddit.

Meier’s new project, Verily, will take a two-pronged approach to speed verification of data in disasters/terror attacks:

  1. time-critical mobilization & crowdsourcing. The logic is that these incidents are geographically bounded, so that people who actually are on the scene could be quickly identified through their social networks, and could use their smart-phone cameras to actually document the situation (I predicted this kind of verification in a now-laughably dated YouTube video six years ago when these cameras were first becoming widespread).
  2. the novel part is to also  crowdsource critical thinking. Meier says that Pinterest is the model for this process. “…. with each piece of content (text, image, video), users are required to add a sentence or two to explain why they think or know that piece of evidence is authentic or not. Others can comment on said evidence accordingly. This workflow prompts users to think critically rather than blindly share/RT content on Twitter without much thought, context or explanation. Indeed, we hope that with Verily more people will share links back to Verily pages rather than to out of context and unsubstantiated links of images/videos/claims, etc.”

Meier says the Verily project will try to foster this kind of critical thinking (hey, we aren’t going to do it without some guidance: my gripe with vacuous sloganeering such as DHS’ “If you see something, say something” campaign — exactly what is it that they think we might see???? Tell us, please, Sec. Napolitano, what to look for).   It will include mini-guides on information forensicsavailable to users — drawn in part from old friend Andy Carvin.

So bravo for Verily — it fascinates me that every time our mobile devices gain some new powers or some new social medium is created, bright people come up with innovative ways to crowdsource information in disasters. Verily, by adding in the important factor of critical thinking, should radically improve the quality of this information.

Want to help plan how Internet of Things will transform government? Join my new GovLoop group!

Have no doubt about it: the Internet of Things will transform government, affecting public security, defense, environmental protection, transport, and health.  If you’d like to be part of the community planning how to help government capitalize on the IoT, please join my new GovLoop community on the topic!

New IDC report says IoT has reached tipping point for government

As you may know, I’ve been critical of the Obama Administration in the past for ignoring the Internet of Things’ potential. Maybe this report will light a fire under them!

IDC has just released a major report, The Coming of Age of the Internet of Things in Government. Research Director Massimiliano Claps concludes that:

“The Internet of Things is reaching a tipping point that will make it a sustainable paradigm for practical applications. The public sector’s use of the IoT is still limited but emerging strongly in the transport, public security, and environmental sustainability domains …. IoT applications in the public sector can span a variety of domains: public security, defense, environmental protection, transport, and health. In each of these domains, connected objects can provide situational awareness that can help citizens and government personnel act and react at the operational level, monitor the status or behavior of people and assets to make management decisions, and support very fine-grained, sensor-driven analytics that help with planning decisions.”

Couldn’t agree more!

The report says that despite the IoT’s promise to revolutionize a wide range of governmental services, most of the applications to date have focused on environmental monitoring, transportation and security. “The limitations have to do as much with the early stages of the technology as with the management approach to using it.”

It cites some of the emerging m-medicine services that promise to both improve patient care and reduce costs such as around-the-clock mobile vital signs monitoring.

The Coming of Age of the Internet of Things in Government urges agencies to:

“…consider multiple management factors that will influence the ability to harness the benefits of IoT, including the volume, variety, velocity and value of data that are going to be generated, the massive scale of the infrastructure, the complexity of governance, the financial sustainability and the legal aspects.”

I hope this report will prove the impetus for a major new emphasis on governmental applications for the IoT!