There is a growing convergence, a growing together, if you will, between the digital Internet, seen only via keyboard, mouse, screen, and other types of Input/Output devices, and the physical world, which we experience every day. And that’s awesome!! Some great examples are laid out in this article on Troy Hunt’s blog. There are exciting products shown in this article, from thermostats, to general purpose sensors used to protect my house from moisture and temperature changes.
When I can control my home alarm system, view my surveillance camera, open my front door locks, and feed my pet, all from my iPhone, the future is truly here. Yeah, let’s discuss why these are bad ideas. What about when I lose my phone? “Oh, you have a lock on it, right?” Yes, but what if the bad guy has good mobile forensic software? Can’t he unlock it? Very possibly. Then he can turn off my alarm system, open the front door, and waltz in and steal my stuff. Hopefully, he’ll at least feed the dog before he goes!
But wait, there’s more! If I install a Nest thermostat at my house, I can remotely control the temperature of the house. If someone can say, man in the middle (MitM) my phone data, with say, Kristin Paget’s research on how to intercept GSM, then they can get the codes to reset the thermostat. So what? Hey, let’s turn the heat off in the middle of winter!! Bursting pipes, lots of cleanup, and the service company might be paying off hackers for more business. Win-win all around! Except for you. You didn’t even lose your phone and all the logs say, you did it!!! Hmm, home insurance premium going up again? Darn it!
These are fantastic concepts, and great ideas. Don’t get me wrong. I just worry about the possible aspects of the convenience and sheer awesomeness that can and probably will get abused.
Just as PleaseRobMe.com was up to show how badly location tracking systems <cough> Foursquare, Google Latitude <cough>, this new Internet of Things can also be abused and maliciously manipulated. We need better security built around these items, or at least, the potentiality for disaster needs to be thought through.
If you have any of these types of sensors in your home, how could it go wrong? What horrific scenarios can you imagine? And how could we prevent them?
Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the “InfoSec Megaphone”, anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.