No Debate: Protecting Privacy and Security Is 1st Internet of Things Priority

This just in: your Internet of Things strategy will fail unless you make data privacy and security the absolute highest priority.

I didn’t always think that way.

Long-time readers know one of my favorite themes is what I call the IoT “Essential Truths,” the key priorities and attitudinal shifts that must be at the heart of all IoT strategies. I’ve always ranked privacy and security the last on the list:

  1. Share Data (instead of hoarding it, as in the past)
  2. Close the Loop (feed that data back so there are no loose ends, and devices become self-regulating:
  3. Redesign Products so they will contain sensors to feed back data about the products’ real-time status, and/or can now be marketed not as products that are simply sold, but services that both provide additional benefits to customers while also creating new revenue streams for the manufacturer.
  4. Make Privacy and Security the Highest Priority, because of the dangers to customers if personal or corporate data becomes available, and because loss of trust will undermine the IoT.

No longer.

I’ve reversed the order: privacy & security must be the precondition for anything else you do with the IoT, because their absence can undermine all your creativity.

      Newsweek article about Shodan

Newsweek article about Shodan

The specific incident that sparked this reordering of priorities was a recent spate of articles about how Shodan (in mid-2013 I blogged about the dangers of having IoT data show up there — did you pay attention??) — the “search engine for the Internet of Things” — had recently added a new feature that makes it easy-peasy to search unsecured webcams for video of everything from sleeping babies to marijuana farms. According to CNBC:

“‘Shodan has started to grab screenshots for various services where the existing text information didn’t provide much information,’ founder John Matherly wrote in an email. ‘This was launched in August 2015 and the various sources for screenshots have expanded since then — one of those recent additions is for webcams.'”

I’ve written before that I feel particularly strongly about this issue because, unlike engineers who are hell-bent on getting their IoT products and services to market ASAP and at as little cost as possible, I have an extensive background before my IoT days as a crisis management consultant to Fortune 100 companies that had screwed up big time, l0st public trust, and now had to earn it back. As a result, I see IoT privacy and security threats differently.

As I’ve said, a lot of engineers — as left-brained and analytical as I am right-brained and intuitive — simply don’t understand factors such as the fear parents feel when their sleeping babies can be seen anywhere and creeps can yell obscenities at them. After all, fear isn’t factual, its emotional. However, that can no longer be an excuse.

No more Mr. Nice Guy! you must make privacy and security a priority on the first day you brainstorm your new IoT product or service, or you risk losing everything.

As cyber-security expert Paul Roberts says:

“The Internet of Things means that the impact of cyber attacks will now be felt in the physical world and the cost of failing to security IoT endpoints could be measured in human lives, not simply zeroes and ones.
“Like any land grab, the rush to own a piece of the Internet of Things is chaotic and characterized by the trampling of more than a few treasured and valued principles: privacy, security, accountability. As companies clamor to develop the next Nest Thermostat or simply to whitewash aging gear with a web interface and companion mobile app, they’re conveniently forgetting the lessons of the past two decades.”
The key is “security by design.”As Gulio Corragio puts it:
“the principle of data protection by design requires data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. This should also include the responsibility for the products and services used by the controller or processor….
The benefits include:
  • “limit the risk that Internet of Things devices are deemed not compliant with privacy laws avoiding sanctions that under the new EU Privacy Regulation will reach 5% of the global turnover;
  • reducing the potential liabilities deriving from cybercrimes since data breaches have to be reported to privacy regulators only if the data controller is unable to prove to have adopted the security measures adequate to the data processing and
  • exclude liabilities in case of processing of data that are not necessary for the provision of the service also through the usage of anonymization techniques which is relevant especially for B2B suppliers that have no relationship with final users.”

Privacy and security are never-ending requirements for the IoT, because the threats will continue to evolve. Making it a priority from the beginning will reduce the challenge.


I’ll speak on this subject at SAP’s  IoT 2016 Conference, Feb. 16-19, in Las Vegas.

Internet of Things interview I did with Jordan Rich

Didn’t realize this had run several weeks ago, but here’s an introduction to the IoT (based on my SAP “Managing the Internet of Things” i-guide) that I did with Jordan Rich of WBZ Radio, who’s also my voice-over mentor.  The examples include the GE Durathon battery plant, “smart aging,” Shodan, the SAP prototype smart vending machine and Ivee. Enjoy!

comments: 0 » tags: , , , ,

Shodan: maybe this will get people to take IoT privacy/security seriously!

Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.

Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE

Shodan

DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!

As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?

Here’s what Shodan can do, according to CNN:

“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”

Command and control systems for nuclear power plants? Sheesh!

Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’

All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.

‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’

Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”

Sufficiently alarmed yet?

Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.

Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):

“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use  ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!

The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.

If you are involved in the IoT in any way, you simply can’t duck this issue!