Don’t Say I Didn’t Warn You: One of Largest Botnet Attacks Ever Due to Lax IoT Security

Don’t say I didn’t warn you about how privacy and security had to be THE highest priority for any IoT device.

On September 19th, Chris Rezendes and I were the guests on a Harvard Business Review webinar on IoT privacy and security. I once again was blunt that:

  • you can’t wait until you’ve designed your cool new IoT device before you begin to add in privacy and security protections. Start on Day 1!
  • sensors are particularly vulnerable, since they’re usually designed for minimum cost, installed, and forgotten.
  • as with the Target hack, hackers will try to exploit the least protected part of the system.
  • privacy and security protections must be iterative, because the threats are constantly changing.
  • responsible companies have as much to lose as the irresponsible, because the result of shortcomings could be held against the IoT in general.

The very next day, all hell broke loose. Hackers used the Mirai malware to launch one of the largest distributed denial-of-service attack ever, on security blogger Brian Krebs (BTW, the bad guys failed, because of valiant work by the good guys here in Cambridge, at Akamai!).

 

The threat was so bad that DHS’s National Cyber Awareness System sent out the first bulletin I ever remember getting from them dealing specifically with IoT devices. As it warned, “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.”  By way of further explanation, DHS showed how ridiculously simple the attacks were because of inadequate protection:

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices. The purported Mirai author claimed that over 380,000 IoT devices  (my emphasis) were enslaved by the Mirai malware in the attack on Krebs’ website.”

A later attack in France during September using Mirai resulted in the largest DDoS attack ever.

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders. Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

How’d they do it?

By a feature of the malware that detects and attacks consumer IoT devices that only have default, sometimes hardwired, passwords and usernames (or, as Dark Reading put it in an apocalyptic sub-head, “Mirai malware could signal the beginning of new trend in using Internet of Things devices as bots for DDoS attacks.”

To place the blame closer to home (well, more accurately, in the home!) you and I, if we bought cheap smart thermostats or baby monitors with minimal or no privacy protections and didn’t bother to set up custom passwords, may have unwittingly participated in the attack. Got your attention yet?

 

No responsible IoT inventor or company can deny it any longer: the entire industry is at risk unless corporate users and the general public can be confident that privacy and security are baked in and continuously upgraded. Please watch the HBR webinar if you haven’t already, and pledge to make IoT privacy and security Job #1!


 

PS: According to the DHS bulletin:

“In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks. This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million (my emphasis) enslaved IoT devices.”

BTW: thanks for my friend Bob Weisberg for reminding me to give this situation its due!

comments: 6 » tags: , , ,

Alexa and Aging: more on voice as THE interface for “SmartAging”

 Amazon Alexa & services it can trigger!

Amazon Echo & services it can trigger!

I predict every elderly person will soon have a personal home assistant, ready to respond to their every command.

However, that home health aide may not be human, but sit on the kitchen counter, and look suspiciously like Amazon’s breakthough IoT device, The Echo.

The late Mark Weiser, “the father of the Internet of Things,” famously predicted that “the best computer is a quiet, invisible servant,” and that’s certainly the potential with Echo, or the just announced Google Assistant (how sexy is that name? I like the fact it’s so impersonal. Let’s you fire one voice “assistant” and hire another without becoming personally attached, LOL), or the much-rumored Apple version, which might also include a camera (disclaimer: while I work part-time at an Apple Store, I ain’t privy to any inside dope, no way, no how).

That’s particularly the case when it comes to seniors, and my SmartAging vision of an IoT-based future for them combining Quantified Self health monitoring devices that can motivate seniors to improve their fitness levels, and smart home devices that can make it easier to manage their homes as they age, to avoid costly and soul-deadening institutionalization (or, even better, combining the two, as with one of my favorite IFTTT “recipes,”  programming your Jawbone to wake you gently at the best time in your sleep cycle, AND gradually turn on your Hue lights. How better for a senior — or anyone — to start their day on a positive note (OK, I know what you’re thinking: better turn on the coffee maker automatically!).

      KidsMD for Amazon Alexa

What really got me thinking about the advantages of a voice-activated future for seniors was a recent story about a similar app for the other end of the age spectrum, developed by our Children’s Hospital, for Alexa: KidsMD. What better for a harried mom or dad, with his or her hands full, AND a sick child to boot, than to simply ask for advice on temperature, fever and the like? That got me thinking that the same would apply to seniors as well, needing advice with some of the unwanted aspects of aging (I could mention here an example from a senior I care for, but that would be most unpleasant…). As I’ve said before, this would be helpful under any circumstances, but when the person needing help is a frail, tech-averse senior, it would be superb if s/he only had to speak a simple command or request to get needed help, or advice on something such as the proper amount of an over-the-counter drug to take.

There are tons of other life-improving reasons for such an approach for seniors, including:

Of course, and I can’t emphasize this enough, especially since seniors are already victims of so many scamming tricks, because these counter-top devices are always on, listening to you,  and because much of their possible use could be for reporting confidential health or financial data, privacy and security MUST be THE top priority in designing any kind of voice-activated app or device for seniors. Think of them as the canaries in the coal mine in this regard: protecting vulnerable seniors’ privacy and security should be the acid test of all voice-activated apps and devices for people of all ages.

Having said all that, as I noted in a piece last week about what a stunning combination of services Amazon has put together to become the dominant player in the retail IoT sector, one of those offerings is the $100 million Alexa fund to fuel advances in the voice-activated arena.  I’m ready to put their money where my mouth is  (LOL) in this regard, to design voice-activated devices and services for seniors.  If you’d like to partner, E-mail me!!

Zoe: perhaps even better than Echo as IoT killer device?

Zoe smart home hub

I’ve raved before about Echo, Amazon’s increasingly versatile smart home hub, primarily because it is voice activated, and thus can be used by anyone, regardless of tech smarts — or whether their hands are full of stuff.  As I’ve mentioned, voice control makes it a natural for my “SmartAging” concept to help improve seniors’ health and allow them to manage their homes, because you don’t have to understand the underlying technology — just talk.

Now there’s a challenger on the horizon: start-up Zoe, which offers many of Echo’s uses, but with an important difference that’s increasingly relevant as IoT security and privacy challenges mount: your data will remain securely in your home. Or, as their slogan goes:

“So far, smart home meant high convenience, no privacy, or privacy, but no fun. We are empowering you to have both.”

You can still get in on Zoe’s Indegogo campaign with a $249 contribution, which will get you a hub and an extra “voice drop” to use in another room, or the base level, $169 for a single room. Looks kinda cool to me, especially with the easily changed “Art Covers” and backlight coloring (the Che Guevera one looks appropriate for a revolutionary product) …  The product will ship in late 2016.

Don’t get me wrong: I love Echo & will be getting mine soon, but there is that creepy factor given government officials’ fascination with the potential of tapping into smart home data as part of their surveillance. Remember what US Director of Intelligence James Clapper said, ““In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” Consider then, that Echo sits there on your kitchen counter, potentially hacked and then hoovering up all of your kitchen chit-chat to relay directly to the spooks.  Wouldn’t you rather that data remained totally under your control?

In addition to storing the data on site rather than in the cloud, Zoe also touts that it has advanced voice-recognition so it can learn IFTTT-style “recipes,” or be operated by apps. She comes with 1,500 built-in voice commands, or, if you stump her, (and only if you choose to, preserving that in-house-only option) web-based Advanced Voice Recognition steps in, with a cloud-based voice recognition system. Her recognition capabilities will grow over time.. Zoe will work with WiFi, Bluetooth, Z-Wave, and other standards.

The company will ship the developers’ kit in six months. It will be open source.

Not being cloud based will mean it loses to Echo on two important counts. For many people, the ability to order things from Amazon simply by speaking may be more important than security concerns,. Also, I notice it doesn’t mention any speakers, so it may be lacking the ability to also serve as a music source (obviously it wouldn’t work with Amazon Music or Apple Music if it isn’t cloud-connected, but it would at least be nice to be able to use it to play your own collection — advantage to Echo on that one.

At least this means there’s competition in the field (and, BTW, I’d love to see Apple swoop in and make THE voice-activated device!)


BTW: Thanks to good buddy Bob Weisberg for the tip about Zoe! Follow him!

 

My IoT Day Interview With Sudha Jamthe

Oops: I’ve been preoccupied with all sorts of dreck since returning from my SAP event, so I haven’t been able to post.

Did want to call your attention to a long IoT Day interview I did with the estimable Sudha Jamthe, author of The Internet of Things Business Primer.  We covered a range of topics, including the state of the IoT in Boston (and my enthusiasm about GE’s move here, because of their track record of working with IoT startups and even individuals), how I got involved in my IoT-based “SmartAging” crusade, and how the IoT may make possible “circular enterprises” orbiting around real-time IoT data.  Enjoy!

Digital Twins: the Ultimate in Internet of Things Real-Time Monitoring

Get ready for the age when every product will have a “digital twin” back at the manufacturer, a perfect copy of not just the product as it left the factory floor, but as it is functioning in the field right now. That will be yet another IoT game-changer in terms of my 4th IoT Essential Truth, “rethink products.”

Oh, and did I forget to mention that we’ll each have a personal body twin from birth, to improve our health?

For the first time we’ll really understand products, how they work, what’s needed to improve them, and even how they may be tweaked once they’re thousands of miles from the factory, to add new features, fix problems, and/or optimize efficiency.

Key to circular organizations

Even better, the twin can play a critical role in accomplishing my vision of new circular organizations (replacing obsolete hierarchies and linear processes), in which all relevant departments and functions (and even supply chain members, distribution networks and customers, where relevant) form a continuous circle with real-time IoT data as the hub).  Think of the twin as one of those manifestations of the real-time data to which all departments will have simultaneous access.

GE Digital Twin visualization

               GE Digital Twin visualization

I’ve often remarked how incredible it was that companies (especially manufacturers) were able to function as well as they did and produce products as functional as they were despite the inability to peek inside them and really understand their operations and/or problems. Bravo, industrial pioneers!

However, that’s no longer good enough, and that’s where digital twins come in.  In a WSJ blog post this week, General Electric’s William Ruh, my fav IoT visionary/pragmatist, talked about how the company, as part of its “Industrial Internet” transformation, is making digital twins a key tool:

“Every product out there will have one, and there will be an ability to connect a system, or systems of digital twins, easily. The digital twin is a model of an asset, a product such as a jet engine or a model of the blades in a jet engine. Sensors on those blades pull the data off and feed them into the digital twin. The digital twin is kept current with the data that is run off the sensors. It is in sync with the reality of the blade. Now we can ask what is the best time to change the blade, how the blade performs, options to get greater efficiency.”

Proof of the pudding?

Ruh says they’ve created a wind turbine and twin they call the “Digital Windfarm,” which generates 20% more electricity than a nearby conventional turbine.

PTC is also working on digital twins. According to the company’s Executive VP for Digital Twin, Mike Campbell,:  “It’s a model that uniquely represents a physical occurrence in the real world. This one-­to­one mapping is important. You create a relationship between the digital data and a unique product occurrence from a variety of sources: sensors, enterprise data on how it was made, what its configuration was, its geometry, how it is being used, and how it is being serviced.”

Predix

The key to digital twins is GE’s “Predix” predictive analytics software platform, which the company is extending across its entire product line. As always, the key is a constant stream of real-time data:

“weather, component messages, service reports, performance of similar models in GE’s fleets—a predictive model is built and the data collected is turned into actionable insights. This model can perform advanced planning, such as forecasting a ‘plan of the day’ for turbine operation, determining a highly efficient strategy to execute planned maintenance activities, and providing warnings about upcoming unplanned maintenance events, all of which ultimately generates more output and revenue for the customer.”

Digital doppelgängers

Here’s where the really sci-fi part kicks in: Ruh also predicts (Predix??, LOL) that GE’s medical division will soon create digital twins for you and me — at birth!

“I believe we will have a digital twin at birth, and it will take data off of the sensors everybody is running, and that digital twin will predict things for us about disease and cancer and other things. I believe we will end up with health care being the ultimate digital twin. Without it, I believe we will have data but with no outcome, or value.”

And, frankly, there’s also a spooky aspect to what GE’s doing, working with retailers to create psychographic models of customers based on their buying preferences. I’m dubious on that account: I do appreciate some suggestion about what might interest me, especially books, based on my past purchases. On the other hand, a couple of weeks I shopped for — but didn’t buy — biz cards online. Now, I get AdSense ads for these cards everywhere — even on this homepage (sorry for stuff that isn’t IoT, dear reader) Get over it, OK? Count me out when it get’s down to really granular psychographic profiles — too many risks with privacy and security.

I suspect digital twins will become a staple of the IoT, yielding critical real-time info on product status that will enable predictive maintenance and, as Ruh has written elsewhere, speeding the product upgrade process because, for the first time, designers will know exactly how the products are functioning in the field, as opposed to the total lack of information that used to be the norm. Stay tuned.

IoT’s Future Makes iPhone Privacy Case Even More Important

Yesterday’s NYT had the most thoughtful piece I’ve seen about the long-term implications of the FBI’s attempts to get Apple to add a “backdoor” to the iPhone that would allow the agency to examine the data on the phone of terrorist Syed Farook, who, along with his wife, killed 14 late last year.

The growth and potential impact of the Internet of Things on our lives will only make the significance of this landmark case greater over time, and I stand totally with Apple CEO Tim Cook (“this is not a poll, this is about the future”) on what I think is a decision that every thinking person concerned about the growing role of technology in our lives should support. It’s that important!

First, my standard disclaimer about Apple, i.e., that I work part-time at the Apple Store, but know as much as you do about Apple’s decision-making process and have zero impact on it.  Now for a couple of other personal considerations to establish my bona fides on the issue:

  1. I’m pretty certain I was the first person to suggest (via a Boston Globe op-ed two weeks [“Fight Terrorism With Palm Pilots”] or so after 9/11 that the early mobiles could be used to help the public report possible threats and/or respond to terrorism.  Several years later I wrote the first primitive app for first-generation PDAs (“Terrorism Survival Planner”) on the subject, and did consulting work for both the Department of Homeland Security and the CTIA on how first-generation smart phones could be used as part of terrorism prevention.
    I take this possibility seriously, support creative use of smartphone in terrorism preparation and response, and also realize that cellphone contents can not only help document cases, but also possibly prevent future ones.
  2. As I’ve said before, I used to do corporate crisis management consulting, so I understand how fear can cloud people’s judgment on issues of this sort.
  3. I’m also proud to come from a 300+ year line of attorneys, most particularly my younger brother, Charles, who had an award-winning career defending indigent clients on appeal, including many where it might have been tempting to have abridged their civil rights because of the heinous nature of the crimes they were accused of committing.

I like to think of myself as a civil libertarian as well, because I’ve seen too many instances where civil liberties were abridged for one extremely unlikeable person, only to have that serve as precedent for future cases where good people were swallowed up and unjustly convicted  (yea, Innocence Project!).

And this case comes right on the heels of my recent blog posts about how federal authorities such as James Clapper were already taking far too much (IMHO) interest in obtaining a treasure trove of data from our home IoT devices.

All in all, there’s a very real threat that the general public may become rightly paranoid about the potential threats to their privacy from cell phones and IoT devices and toss ’em in the trash can. 


That’s all by way of introduction to Farhad Manjoo’s excellent piece in the Times exploring the subtleties of Apple’s decision to fight the feds (see Tim Cook’s ABC interview here) — with plenty of emphasis on how it would affect confidence in the IoT.

As his lede said:

“To understand what’s at stake in the battle between Apple and the F.B.I. over cracking open a terrorist’s smartphone, it helps to be able to predict the future of the tech industry.”

Manjoo went on to detail the path we’re heading down, in which the IoT will play an increasingly prominent place (hmm: in my ardor for Amazon’s Echo, I’d totally ignored the potential for the feds or bad guys or both [sometimes in our history, they’ve sadly been one and the same, for more details, consider one J. Edgar Hoover..] to use that unobtrusive little cylinder on your kitchen counter to easily monitor everything you and your family say! Chilling, non?).

Read and weep:

“Consider all the technologies we think we want — not just better and more useful phones, but cars that drive themselves, smart assistants you control through voice or household appliances that you can monitor and manage from afar. Many will have cameras, microphones and sensors gathering more data, and an ever more sophisticated mining effort to make sense of it all. Everyday devices will be recording and analyzing your every utterance and action.

“This gets to why tech companies, not to mention we users, should fear the repercussions of the Apple case. Law enforcement officials and their supporters argue that when armed with a valid court order, the cops should never be locked out of any device that might be important in an investigation.

“But if Apple is forced to break its own security to get inside a phone that it had promised users was inviolable, the supposed safety of the always-watching future starts to fall apart. If every device can monitor you, and if they can all be tapped by law enforcement officials under court order, can anyone ever have a truly private conversation? Are we building a world in which there’s no longer any room for keeping secrets?” (my emphasis)

Ominously, he went on to quote Prof. Neil Richards, an expert prognosticator on the growing threats to privacy from our growing dependence on personal technology:

“’This case can’t be a one-time deal,’ said Neil Richards, a professor at the Washington University School of Law. ‘This is about the future.’

“Mr. Richards is the author of “Intellectual Privacy,” a book that examines the dangers of a society in which technology and law conspire to eliminate the possibility of thinking without fear of surveillance. He argues that intellectual creativity depends on a baseline measure of privacy, and that privacy is being eroded by cameras, microphones and sensors we’re all voluntarily surrounding ourselves with.

“’If we care about free expression, we have to care about the ways in which we come up with interesting things to say in the first place,’ he said. ‘And if we are always monitored, always watched, always recorded, we’re going to be much more reluctant to experiment with controversial, eccentric, weird, ‘deviant’ ideas — and most of the ideas that we care about deeply were once highly controversial.’”

Manjoo also points out that laws on these issues often lag years behind technology (see what Rep. Ted Lieu, one of only four Representatives to have studied computer science, said about the issue).

Chris Sogogian, the ACLU’s chief technologist, brings it home squarely to the IoT’s future:

“’What we really need for the Internet of Things to not turn into the Internet of Surveillance is a clear ruling that says that the companies we’re inviting into our homes and bedrooms cannot be conscripted to turn their products into roving bugs for the F.B.I.,’ he said.”

Indeed, and, as I’ve said before, it behooves IoT companies to both build in tough privacy and security protections themselves, and become actively involved in coalitions such as the Online Trust Alliance.

The whole article is great, and I strongly urge you to read the whole thing.

IMHO, this case is a call to arms for the IoT industry, and the hottest places in hell will be reserved for those who continue to sit at their laptops planning their latest cool app and/or device, without becoming involved in collaborative efforts to find detailed solutions that preserve our personal privacy and civil liberties on one hand, and, on the other, realize there’s a legitimate need to use the same technology to catch bad guys and protect us. It will take years, and it will require really, really hard work.


Oh, and it will also take the wisdom of Solomon for the courts to judge these issues. Sorry to be a partisan, but please feel free to let Sen. McConnell know how you feel about his unilateral decision to keep the Supreme Court deadlocked on this and other crucial issues for well over a year. Yes, even King Solomon couldn’t get past the Senate this year…

Day 2, Live Blogging from SAP’s IoT2016 Internet of Things Event

I’m up first this morning, & hope to lift attendees’ vision of what can be achieved with the Internet of Things: sure, cool devices and greater efficiency are great, but there’s so much more: how about total transformation of businesses and the economy, to make them more creative, precise, and even environmentally sustainable?

I’ve just revised my 4 IoT Essential Truths, the heart of my presentation, bumping make privacy and security the highest priority from number 4 to number 1 because of the factors I cited last week. I’ll draw on my background in crisis management to explain to the engineers in attendance, who I’ve found have a problem with accepting fear because it isn’t fact-based, how losing public trust could kill the IoT Golden Goose.

I’ll go on to explain the three other Essential Truths:

  • Share Data (instead of hoarding it, as in the past)
  • Close the Loop (feed that data back so there are no loose ends, and devices become self-regulating
  • Rethink Products so they will contain sensors to feed back data about the products’ real-time status, and/or can now be marketed not as products that are simply sold, but services that both provide additional benefits to customers while also creating new revenue streams for the manufacturer.

I’ll stress that these aren’t just truisms, but really difficult paradigm shifts to accomplish. They’re worth it, however, because making these changes a reality will allow us to leave behind old hierarchical and linear organizational structures that made sense in an age of limited and hard-t0-share data. Instead, we can follow the lead of W.L. Gore and its cyclical “lattice management,” in which — for the first time — everyone can get the real-time data they need to do their jobs better and make better decisions. Equally important, everyone can share this data in real time, breaking down information silos and encouraging collaboration, both within a company and with its supply chain and distribution network — and even with customers.

Amen.


Back with Michael Lynch of SAP!

  • we can change the world and enhance our understanding greater than ever.
  • can help us solve global warming.
  • great case study on heavy truck predictive maintenance in GoldCorp Canadian gold mines.
  • IoT maturity curve:
  • Critical question: who are you in a connected future?  Can lead to re-imaginging your corporate role.
  • UnderArmour is now embedding monitors into clothing.
  • Tennant makes cleaning equipment. Big problem with lost machines, now can find them quickly.
  • Asset Intelligence Network — Facebook for heavy equipment — SAP will launch soon.
  • example of a tractor company that’s moving to a “solutions-based enterprise.” What is the smallest increment of what you do that you could charge customer. Like the turbine companies charging for thrust.

SAP strategy:

  • “Our solution strategy is to grow by IoT-enabling core industry, and providing next generation solutions for millions of human users, while expanding our platform market by adding devices.”
  • they have an amazing next-gen. digital platform. More data flow through there than Alibaba & Amazon!
  • CenterPoint Energy — correlating all sorts of data such as smart meter & weather. Better forecasting.
  • Doing a new home-based diabetes monitoring system with Roche.
  • Doing a lot of predictive maintenance.
  • Connected mining.
  • Building blocks:
    • Connect (SAP IoT Starter Kit)
    • Transform
    • Re-imagine

Ending the day with my presentation on first steps for companies to take in beginning an IoT strategy, with special emphasis on applying analytical tools such as HANA to your current operations, and building “precision operations” by giving everyone who needs it real-time data to improve their job performance and decision-making. Much of the presentation will focus on GE, with its “Brilliant Factories” initiative!

Even More Reason to Boost Internet of Things Security: Feds Spying

As if there wasn’t already enough reason to make privacy and security your top IoT priority (see what I wrote earlier this week), now there’s more evidence Uncle Sam may be accessing your IoT data as part of its overall surveillance efforts (MEMO to NSA Director: we notice the lights at the Stephenson household went on precisely at sunset. Was that a signal to launch Operation Dreadful Winter?).

The Guardian reports that US. Director of National Intelligence James Clapper told the Senate:

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

Shades of former CIA Director David Petraeus, who I noted several years ago was also enamored of smart homes as the motherlode for snooping:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’ All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance. ‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’ Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’ Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’”

Yikes!

Gathering data on spies, terrorists and other malefactors is always such a double-edged sword: I’m generally in favor of it if there’s demonstrable, objective proof they should be under surveillance (hey, I went to school with uber-spy Aldrich Ames!) but if and when the NSA and CSA start hoovering up gigantic amounts of data on our homes — and, even more questionably, our bodies [though Quantified Self devices] then we’ve got to make certain that privacy and security protections are designed in and tough, and that there is some sort of effective civilian oversight to avoid gratuitous dragnets and trump(ooh, gotta retire that word from my vocabulary)ed up surveillance.

Big Brother is watching … your thermostat!

No Debate: Protecting Privacy and Security Is 1st Internet of Things Priority

This just in: your Internet of Things strategy will fail unless you make data privacy and security the absolute highest priority.

I didn’t always think that way.

Long-time readers know one of my favorite themes is what I call the IoT “Essential Truths,” the key priorities and attitudinal shifts that must be at the heart of all IoT strategies. I’ve always ranked privacy and security the last on the list:

  1. Share Data (instead of hoarding it, as in the past)
  2. Close the Loop (feed that data back so there are no loose ends, and devices become self-regulating:
  3. Redesign Products so they will contain sensors to feed back data about the products’ real-time status, and/or can now be marketed not as products that are simply sold, but services that both provide additional benefits to customers while also creating new revenue streams for the manufacturer.
  4. Make Privacy and Security the Highest Priority, because of the dangers to customers if personal or corporate data becomes available, and because loss of trust will undermine the IoT.

No longer.

I’ve reversed the order: privacy & security must be the precondition for anything else you do with the IoT, because their absence can undermine all your creativity.

      Newsweek article about Shodan

Newsweek article about Shodan

The specific incident that sparked this reordering of priorities was a recent spate of articles about how Shodan (in mid-2013 I blogged about the dangers of having IoT data show up there — did you pay attention??) — the “search engine for the Internet of Things” — had recently added a new feature that makes it easy-peasy to search unsecured webcams for video of everything from sleeping babies to marijuana farms. According to CNBC:

“‘Shodan has started to grab screenshots for various services where the existing text information didn’t provide much information,’ founder John Matherly wrote in an email. ‘This was launched in August 2015 and the various sources for screenshots have expanded since then — one of those recent additions is for webcams.'”

I’ve written before that I feel particularly strongly about this issue because, unlike engineers who are hell-bent on getting their IoT products and services to market ASAP and at as little cost as possible, I have an extensive background before my IoT days as a crisis management consultant to Fortune 100 companies that had screwed up big time, l0st public trust, and now had to earn it back. As a result, I see IoT privacy and security threats differently.

As I’ve said, a lot of engineers — as left-brained and analytical as I am right-brained and intuitive — simply don’t understand factors such as the fear parents feel when their sleeping babies can be seen anywhere and creeps can yell obscenities at them. After all, fear isn’t factual, its emotional. However, that can no longer be an excuse.

No more Mr. Nice Guy! you must make privacy and security a priority on the first day you brainstorm your new IoT product or service, or you risk losing everything.

As cyber-security expert Paul Roberts says:

“The Internet of Things means that the impact of cyber attacks will now be felt in the physical world and the cost of failing to security IoT endpoints could be measured in human lives, not simply zeroes and ones.
“Like any land grab, the rush to own a piece of the Internet of Things is chaotic and characterized by the trampling of more than a few treasured and valued principles: privacy, security, accountability. As companies clamor to develop the next Nest Thermostat or simply to whitewash aging gear with a web interface and companion mobile app, they’re conveniently forgetting the lessons of the past two decades.”
The key is “security by design.”As Gulio Corragio puts it:
“the principle of data protection by design requires data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. This should also include the responsibility for the products and services used by the controller or processor….
The benefits include:
  • “limit the risk that Internet of Things devices are deemed not compliant with privacy laws avoiding sanctions that under the new EU Privacy Regulation will reach 5% of the global turnover;
  • reducing the potential liabilities deriving from cybercrimes since data breaches have to be reported to privacy regulators only if the data controller is unable to prove to have adopted the security measures adequate to the data processing and
  • exclude liabilities in case of processing of data that are not necessary for the provision of the service also through the usage of anonymization techniques which is relevant especially for B2B suppliers that have no relationship with final users.”

Privacy and security are never-ending requirements for the IoT, because the threats will continue to evolve. Making it a priority from the beginning will reduce the challenge.


I’ll speak on this subject at SAP’s  IoT 2016 Conference, Feb. 16-19, in Las Vegas.

Live Blogging from the IoT Global Summit

Keynotes:
Came in on end of presentation by Rep. Suzan DelBene, D-WA, co-chair of the House IoT Caucus and an IT industry vet. Her litany of federal inaction in the face of rapidly-evolving 2015_IoT_Summittech — especially regarding privacy protections, where  the key law was enacted in 1986 — was really dispiriting, although it’s good to know there are some members of Congress who are aware of the issue and working on it.

EU Ambassador to the US, David O’Sullivan: the IoT is a “quantum leap” because of combining digital and physical world, and will have huge implications.  Europe has created single digital market. Major investments in IoT & funding research on it.  Very open research projects.  Key is breaking down barriers within the economy. They’re doing research on every aspect of IoT. Priority must be overcoming vertical silos, such as cars and health care. Must balance regulation and innovation. Security and privacy: working on a new set of protections.

Dean Brenner, SVP for Gov. Affairs, Qualcomm: everything will need some form of connectivity. Will need new connectivity paradigm. 4G LTE gives solid foundation for cellular IoT growth.  5G will be fully-deployed by 2020.

Dr. Rakesh Kushwaha, Mformation (hmmm?) Business Leader, Alcatel-Lucent: securing IoT devices. Tech & standards that are already in place to secure mobile devices can be model for I0T devices: they worked with whole range of devices. Fundamental principle of the security: securely update through device/firmware update package.   Only about 40% of IoT will be cellular-based.  Alcatel securing vehicle-mounted devices using FW/SW updates. They will launch a project called IoT Connect.

Session 2: Security for the IoT

Dean Garfield, president & CEO, Information Technology Industry Council: think of security as a design feature, not afterthought. Have to think of it in global sense (including between vertical silos). Chinese government security demands are actually counterproductive. Security can be a differentiating feature.

Joseph Lorenzo-Hall, chief technologist, Center for Democracy and Technology: “IoT Spectrum of Insanity” — such as #IoT door locks, require protections be built in. Security by design. He thinks privacy is a bigger factor than security.

Stephen Pattison, vp of Public Affairs, ARM. Hacker only has to get it right once. You have to get it right every time!  Sensors will have to be very cheap ($5 or less), which will require real creativity.  Security will drive acceptability of IoT. Security breaches will be a major risk for IoT companies.

Chris Boyer, asst. vp, Global Public Policy, AT&T: different security concerns in each vertical domain. Functional classification determines the risk (for example, some affect interruption on critical infrastructure, or life risk). Virtualize security around the end device. Industry activities: application layers, service layer, network layer, access technologies. Looking 4 acceptable risk management levels.

Rory Gray, global head of sales, Intercede: “need world of trusted digital identities.” “Identity is the new currency.”

Government procurement standards may drive privacy and security by design.

Adam Thierer: are we overestimating how much people really care about IoT security (vs. the “cool” factor??).

Afternoon Privacy Panel:

Gary Shapiro, president & CEO, CSA: he disagrees that you should HAVE to give permission to have your info shared: cites all the benefits of sharing data. Thinks we went overboard with HIPPA & privacy. Announcing agreement on guiding principles for sharing health info from #QS devices. A sense that products will be unwelcomed if they create privacy or security issues: example of an Intel engineer who has vision problems. On a personal basis, his mother had terrible time with Alzheimer’s: he’s upset he won’t have access to a Google face recognition technology.

Rob Atkinson, president, Information Technology and Innovation Foundation: “privacy fundamentalists” argue really heavy regulation is way to protect privacy.  BUT, no empirical studies underlying that. Pew survey showed few people believe their landline or credit card data will be private, YET almost everyone uses credit cards or phones: i.e., no correlation between people’s belief in privacy of various technologies and their actual use of the technology.  Overly stringent privacy regulations will reduce their availability. Much of real value of IoT data is from secondary use of the data, which would be undermined by tough regulation. Way too early to put regulatory regime into place for IoT: too early.

Maneesha Mithal, assoc. director, Division of Privacy & Identity Protection, Bureau of Consumer Protection, FTC: two fairly controversial aspects of their 2013 workshop: minimizing data collection debate — said you shouldn’t collect all sorts of data forever, BUT, perhaps collect less sensitive data if they could still derive value. Second issue was “notice and choice.” Tried a middle ground: room for notice and choice,  Discussion of regulation: middle ground on regulation: shouldn’t have specific IoT regulation, but should have general, baseline privacy and security protections. We don’t bring “gotcha cases.”  Could have program that would provide incentives for self-regulation.

Gilad Rosner, Founder, Internet of Things Privacy Forum:  “notice & choice” has been the default privacy & security approach for Internet, but it “fundamentally places the burden of privacy protection on the individual.” A presidential group said the responsibility should rest with the provider, not the user.  Hallmark of a civil society is being regulated.

Day Two:

smart health panel:

You can access my “Smart Aging” presentation on Slide Share.

Peter Ohnemus of dacadoo, a Swiss company, gave an overview of IoT and healthcare and talked briefly about his company’s Health Score, a 0-1000 score assigned to participating individuals based on their real-time scores on factors including movement, nutrition, sleep and stress.

Chantal Worzala of the American Hospital Association gave an overview of issues such as information interoperability and new wellness incentives.

Robert Jarrin, senior director of gov. affairs for Qualcomm, talked about some of the policy issues. FDA now has dedicated staff for electronic devices, and they are now not requiring regulatory compliance for some basic devices.

Smart Home panel:

Hmm. Little actual focus on smart homes in this one…

Cees Links, ceo, Green Peak Technologies: they are a chip manufacturer, “wireless plumbers.” Shipped 1M Zigbee chips. “IoT is not about things, it’s about services.” “Smart Home should be called a butler.” Confusion about IoT standards: thinks ZigBee & Bluetooth will survive, proprietary standards won’t.

Ilkka Lakaniemi, chair, European Commission’s Future Internet Public-Private Partnership Program: working on smart cities strategies, esp. ones that are scalable. Working with NIST on common standards for the demo grants in US & EU. 61 cities involved.

Tobin Richardson, president & ceo, ZigBee Alliance. ZigBee, wi-fi & Bluetooth will form basis of a stable ecosystem. Dollar chip is the goal, getting there quickly.

Paul Feenstra, sr. vp of government & external affairs, The Intelligent Transport Society of America: evolution over last 5 years from car focus to a really varied multi-modal transportation industry. Shocking how we accept the high death rate & congestion on highways. 80% of crashes could be avoided by connected cars.

Business Models for the IoT:

Ana Sancho, Libellium: they manufacture sensor networks for the IoT. Solve problems from smart cities to agriculture & water resources. More than 90 different sensors. They just see very early testing the water with IoT on part of their clients: not widescale implementation.

 

 

 

 

 

 

 

http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management