Hacking the Internet of Things looms over CES

Author: Elizabeth Weise Date: Sat, 02 Jan 2016

Click here to view original web page at www.usatoday.com

SAN FRANCISCO – The Internet of Things looms large at this year’s Consumer Electronics Show, with a host of products and devices wired to send and receive information.

They include everything from connected LED systems that sent messages to store managers about which displays customers are lingering in front of, to a switch that lets parents use a smartphone to turn on the lights in their teen's room to wake them up — when the parent's already at work.

Along with these networked devices will come a heaping helping of concern. Several CES panels are devoted to potential problems.

Much of the discussion will focus on two main issues: privacy and security.

At its heart, the phrase “Internet of Things” simply means that an object has sensors embedded in it and the ability to send the data it collects outward, usually via Wi-Fi or the Internet.

The devil, as always, is in the details. How does it send and what does it send?

Say the object in question were a nuclear power plant, a bicycle or a box of tissues.

If it’s a nuclear power plant, the data could include how hot the reactor is running, how much waste has built up and how much energy is being produced.

A bicycle might broadcast its location, how hard the person riding it is working and whether its chain needs oiling.

The tissues might send a message to your shopping list that the box is almost empty and you need to buy more.

Each of those examples also has a dark side.

Hackers could intercept information on how much spent fuel had built up and alert attackers looking to steal it. Or worm their way in and destabilize the cooling system to cause a melt down.

The cyclist could be tracked, or their fitness (or lack thereof) be used by insurance carrier to jack up their rates.

And the tissue box could allow a marketer to infer your family is in the midst of a bout of illness and change the ads you see to include cold remedies.

Worries abound

Security experts fret that all these devices busy collecting, storing and sending information are not properly protected.

That’s what happened with the Web, which was originally designed to make information sharing easy but with no security or privacy baked into that design.

"We have to start architecting security into the Internet of Things now, so it’s not the Web all over again,” said Gary Kovacs, CEO of AVG Technologies, who will speak at a CES forum on CyberSecurity.

However making money tends to be at the top of most company's To Do list, said Jeff Greene, senior policy counsel at Symantec. He doesn't think The Internet of Things is going to bring about the End of Days, but he does worry that functionally is what sells and what’s driving development.

That's all fine and good, but designers need to start thinking about privacy and security ahead of time, “as opposed to throwing it out there and seeing what happens,” said Greene, who will be speaking on a CES panel about the IoT.

First and foremost, all these devices need an on-off switch "so it's clear to the user when they're being observed, so they can opt out when they want to," said Nuala O’Connor, CEO of the Center for Democracy and Technology, a Washington D.C.-based privacy rights non-profit.

Developers also need to think about the unintended consequences of the products they’re putting out in the world, said Greene.

“Suddenly you’ve got layers of connectivity – ten devices that are interconnected and sharing information in ways that were never envisioned by any one designer, that can bring about new issue that no one ever considered,” he said.

Thinking about the future is key because the ability to hack into devices only gets easier over time. The software and programs that will run all these devices also should to be built so that it can easily take security updates, say the experts.

Businesses even need to think about how that will work long after they themselves are gone. Customers keep using devices years after the company that built them went out of business or the team that created them was assigned another project.

“So you’re going to have all these broken connections that literally cannot be updated and secured,” Greene said.

The good news, says O'Conner, is that privacy and security are all still solvable problems. But people "need to start embedding that thinking in their products now."