Welcome to the world were your car, TV, smoke detector, thermostat, and even your coffee maker connects to the Internet. Don’t believe me? Well Gartner says we will have 4.9 BILLION connected devices in use by the end of this year. This number also includes the usual suspects in the form of our PCs, laptops, and phones and we generally understand what these devices do and the risks associated with them. But do we really know what the risk might be from installing that Nest thermostat and smoke detector or from having a car that receives software updates over the Internet and reports back to the manufacturer how and where we drive? Whether you decide to use connected devices or not really isn’t the issue for me as much as whether you are; Aware, Educated and Diligent in using them. And by the way I am pretty sure you are already using them.
First I know there are many “bigger” risks in your mind than your coffee maker and you would be right. Let’s take the wireless keyboard and mouse I use here at my desk. I just saw an article about how a firm called Bastille has discovered a way to highjack them both via the wireless signal they use. Now the vendor says it isn’t practical since these are short range signals but isn’t the point that they can be. You also have the issue of WIFI in public spaces such as Starbucks and airplanes and how easy it is for someone to read what you are doing if you aren’t using a VPN or encryption. But let’s get 3-5 years down the road where almost everything is connected and are all gathering data, transmitting that data and taking commands/updates from other systems on the Internet. Then let there be a “bug” in one of those widely deployed systems that someone can take advantage of to do something unintended.
So first you should be Aware that more and more devices are connected. You should know which devices you own that are connected to the Internet. This may be something as simple as your TIVO or as complicated as your power meter or security system. Being aware of what you have and how they connect will give you the first line of defense. So maybe you don’t opt for the security system that connects via the Internet to the monitoring station and instead you let them use a landline still. Not saying that you should but being aware lets you make that decision. Remember if it has a data or phone cable, a WIFI card, or a cellular card in it then it is likely getting and sending information to and from someplace else.
Second you need to Educate yourself which may mean takeing the time to read some of that “mice type” or even worse THE USER MANUAL to understand more or at least have someone you trust be directed to do it. This is where you can begin to understand what exactly is being gathered, transmitted and received. In many cases you can configure the device on what you want transmitted and what you want it receiving also. Did you know if you have an iPhone by default I can look in your settings and see places you have driven over the last little while? We aren’t too far away from a time when medical devices you can wear might be sent home with you or a loved one due to some condition that will be transmitting truly personal data. Now with medical data I am not as worried about someone stealing my grandmother’s blood pressure but what if the vendor has a relationship with her insurance carrier and is sending it along to them without us knowing and they decide that because she isn’t doing something right in their eyes they change her premiums? At least if we ask the right questions and read we can know what is possible and what is likely and decide what to do from there.
The third thing is to be Diligent about what you let others bring into your business. Yes, again I am taking about the small percentage of things that might cause harm but how many of you remember when the iPod came out and it wasn’t long before people realized you could use them to copy data and take it out of the office. Even the pentagon had to ban them. And don’t get me started on USB drives, they are still one of the biggest risk items we find in security assessments in how people will pick them up and plug them in without thinking. As the consumerization of IT continues and we find it easier and easier to run out and grab and Apple TV or Chromecast to connect to the TV to do presentations we continue to drop our guards about security and assume that those vendors wouldn’t put out things that aren’t safe or could be used against us. But no one ever thought Apple might put a backdoor into all of their devices so people could get in either. But that might just come to pass also.
So while I think the IoT is far from a major security issue for most small businesses I have learned long ago that if you don’t start early and often with Awareness, Education and Diligence getting that horse back in the barn can be a lot more work later. So what devices do you have that are connected all the time? Do you know what they are telling others about you? The one that I am most interested in and amazed by right now are the connected cars. At least in the future when my daughter can drive I can not only track her with it but maybe even control how fast she goes and where. Just a protective dad’s dream. J