The dark side of the IoT

Dai Davis, a solicitor and a chartered engineer who works as a technology law expert, talks to Adam Bernstein and outlines the threats posed by the smart home that few really understand

The internet has revolutionised the way that we shop, discover and communicate. It’s opened up new applications and uses for new and existing technologies. However, on its darker side, it’s just another avenue through which the unscrupulous can exploit and abuse others.

In the beginning, there was what they call Web 1.0, which was just a collection of self-contained websites with no interactivity. Next came Web 2.0, where social media sites and blogs allowed the many to communicate to the masses. The Internet of Things (IoT), where every device is capable of connecting directly or indirectly to the internet, is undoubtedly Web 3.0.

Devices presently range from larger items, such as fridges, to coffee machines and light bulbs. But in the future, IoT could encompass countless everyday items, including cutlery, crockery and clothing. Indeed, according to research company Gartner, there could be 8.4 billion IoT devices in use globally by the end of 2017, rising to 20.4bn by 2020. With even products such as connected cars becoming a part of the IoT, users are at risk.

Tech law expert Dai Davis sees the technology as beneficial, but riddled with vulnerabilities. “Take internet-connected baby monitors, which allow parents to view their child from a smartphone, as well as a remote monitor. Since 2013, a number have been found to be insecure. The trouble is that all the devices were shipped with the same default password. Naturally, many people never reconfigured them to a different password, which allowed third parties to access their monitors.” He points to a very long list of other insecure devices that include a baby heart monitor, home security cameras, a wi-fi kettle, and a smart door lock. These, and many more, can be viewed here.

Cost of production and sale is an issue in ever-more competitive markets, which is why Mr Davis says that major companies that should know better are still trying cut costs by not individually configuring devices and relying instead on the purchaser to do so. “An example is the British Gas Hive system,” he says. “In August 2015, it was shown to transmit unencrypted data regarding the times at which customers had their heating on. Are they really expecting customers, such as the elderly and infirm, to configure the security, let alone the average purchaser?”

And even having successfully configured your device, are those devices inherently secure? The answer according to Mr Davis, is that they are not. He points out: “A recent study by the Weizmann Institute of Science in Israel showed that Philips smart light bulbs, even though they employed standard cryptographic techniques, could be hacked into and their settings overridden.”

And what of smart meters, which the Government is trying to promote to us on the back of a European Union decree to do so? Mr Davis notes that the first batch of some 1.5 million installed meters do not allow interoperability. And surely that’s the only part that customers theoretically benefit from, in that more detailed gas or electricity usage should theoretically lead to a more competitive environment and therefore cheaper prices. He adds that these aren’t secure either – on multiple levels.

“Smart meters,” he says, “generally work by transmitting data not directly to ‘head office’, but first to a nearby hub, which will be another smart meter in a neighbour’s house.” That data, if hacked, will reveal data not from one, but several properties. Mr Davis says that so far, the Government has spent over £100,000 defending a Freedom of Information request made in 2012 to publish an audit of the technology. He adds: “The case is now set to go to the Court of Appeal, with the Government using the standard tactic of trying to outspend the applicant – in this case a retired electricity consultant. Meanwhile, the number of security consultants reporting that smart meters are insecure is increasing.”

Hive smart thermostat
Hive smart thermostat

The problem also goes beyond simple security. Mr Davis looks to a study by the Dutch University of Twente in Enschede, which found that many smart meters just aren’t accurate – one was capable of overcharging a customer by 500 per cent. “And another study (Germany, 2012) found that if you had enough data, you could even determine, in some circumstances, what television show a viewer was watching.” Interestingly, data from smart meters has been used in one case in the United States as evidence of marital infidelity.

Mr Davis is worried that “the Government blithely assumes that everyone will just ‘trust’ that whoever holds the data will look after it, that no one other than academics will ever hack into smart meters, and therefore users have nothing to worry about”.

What can you do?

So, what can you do about the lack of security? Mr Davis says the answer is very little and this may be one reason why Barclays bank recently (May 21) ran an advertorial in the Sunday Times warning readers of the security dangers of the IoT. He says the bank’s interest wasn’t entirely altruistic or educational – if the bank can persuade more people to take home security more seriously, it will lower its exposure to risk. The bank did offer some advice. One tip was to continually update all connected devices with any patches made available by the manufacturer.

Mr Davis, however, sees multiple issues with this approach. “Take mobile phones,” he says. “First, it is up to the manufacturer to produce those patches. That is only going to happen most of the time if, as in the case of Philips’s light bulbs, a third party publicises the insecurity. Consider Taiwanese manufacturer HTC. It was so bad at making patches available for its devices that the United States government levied a fine on it.”

Mr Davis also raises the question of how many people actually bother to download and apply patches. “Statistics show that fewer than 10 per cent of users have the most up-to-date operating system installed on their mobile phones. Surely manufacturers cannot seriously expect users to regularly download and update the operating system on their coffee maker?”

There is another serious underlying problem with the IoT, adds Mr Davis. He believes that if you build a device now, you can only make it impregnable with the best technology available today. Even so, most manufacturers don’t do that and indeed cannot reasonably be expected to do so. It is too expensive and, in any event, provides only what Mr Davis calls ‘static security’, because it can’t be updated in the future. He comments that what is considered good information technology security today, will not be considered so in five years’ time.

The best alternative is, in Mr Davis’s opinion, to allow the device to be updated, whether automatically or by the user. However, he says that this is not ideal either, because “in either case, by definition, you are allowing a back door into the device that sooner or later someone will discover and abuse”.

The worst case for any product, concludes Mr Davis, is that others will discover security flaws in new products and publicise them. Nastier still, they could sell them on the dark web, so that other less scrupulous individuals will find a way to make money out of those flaws and you won’t know what’s going on until someone turns out your lights.