Fear the Unmanaged Growth of the “Internet of Things”

Image of Fear the Unmanaged Growth of the “Internet of Things”By Mark Stanislav, Security Evangelist, Duo Security

On September 4th, 2013, the Federal Trade Commission (FTC) announced that the complaint it had filed against the network device manufacturer TRENDnet had been settled. The cause for this FTC complaint was due to concern for public safety after a list of nearly 700 flawed IP cameras was published online. These cameras were known to have security issues allowing for an unauthorized person to access an affected camera’s live video feed without the knowledge of the owner. Under the terms of this settlement, TRENDnet is required to establish a security program, have security audits every two years, and are no longer allowed to make statements about their products being “secure”. While this story feels like redemption for the average consumer, what does it mean to the larger topic of fear impacting the growth of the “Internet of Things”?

It wasn’t many years ago that our TVs were just TVs, music players simply played music, and our thermostats were just an unimpressive adornment to an otherwise empty wall in our homes. Now, however, TVs can stream shows live and update themselves, music players are built into cell phones, and thermostats are the hippest thing on our home’s wall. This explosive growth has been enabled through Wi-Fi, shrinking chip sizes, and dramatic reduction in cost to component parts. Through the whiplash of Internet-connected-everything we’ve been somewhat blind to the security implications of having so many devices capable of potentially speaking to the rest of the Internet.

Every few years, we’re told that the federal government may restrict our ability to access certain parts of the Internet based on tiered service levels from our respective providers. Imagine if instead of only being able to go to certain web sites, consumers also could only connect a single brand of thermostat or smart TV to the Internet through this sort of legislation. If consumers are worried about the business reasons for ending “net neutrality”, they should be equally worried about the power of Internet connected security threats as a rationale to segment the Internet from certain people under the guise of public safety.

There is good reason to fear the unmanaged growth of the “Internet of Things”, unfortunately. The ability for just about anyone to mass produce an Internet-enabled device that can speak to you, or record video of you, or track you via GPS, is continually becoming less of a challenge. While this amazing technology can certainly provide our lives with all sorts of great conveniences, the trade-off to our security may be immense. Information security isn’t easy and few people understand the requisite nuances to handle the responsibilities of always-connected life well enough to assure our safety and privacy.

Our challenge, then, is to demand that device manufactures are having their new inventions tested by a qualified information security professional before shipping it to consumers. Further, the FTC will need to continue to be vigilant in punishing the vendors who choose time-to-market and profits over handling their important responsibility to the level consumers deserve. We can all rest assured, however, that the stakes are only getting higher and the threats are increasing daily.

 About the Author:Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based startup focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken nationally at over 70 events including RSA, ISSA, B-Sides, GrrCon, Infragard, and the Rochester Security Summit. Mark’s security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Additionally, Mark is an active participant of local and nationals security organizations including ISSA, Infragard, HTCIA, ArbSec, and MiSec. Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications. 

Published: February 5, 2014 By: michaels