The Nightmare of the Internet of Things
Recently I read a discussion about how a typical computer user might learn whether an Internet of Things (IoT) device has been hacked and is a member of a botnet. Some people are now joking that IoT is an acronym for Internet of Thieves.
Despite having a network in the home, I do not pretend to be a networking guru. Not even close. These kind of discussions haunt me.
When I built my house I installed traditional Honeywell mercury-switch thermostats. A few years thereafter I installed some “dumb” programmable thermostats. I change rechargeable batteries as needed, but the programmable thermostats are more convenient and energy efficient. If I was painted into a corner and no longer could buy “dumb” programmable thermostats because only “smart” thermostats were available, I would return to using the Honeywell thermostats. Yes, there would be more manual labor involved to control the temperatures in the house. Yes, I am typical in that often I would forget to manually adjust the thermostat, such as night time when going to bed.
Lately I read that buying a traditional “dumb” TV is almost impossible. That almost all TVs on the market these days are “smart” TVs. Should the current TV in the house die I would not be enthusiastic about about buying a new TV. I have two computers in the house with TV capture cards. Likely for a while I would survive recording and viewing through the network. That is pretty much what I do now as I rarely watch TV live. The difference is I would be watching at a desktop or laptop computer rather than the comfort of the living room. Nonetheless, doable.
Should I succumb to buying a smart TV, I would not connect an Ethernet cable. I have two wireless subnets configured on the network router. One subnet is for the LAN and presumes trusted systems. The other subnet is for guests. The guest subnet is isolated from the LAN. Both wireless networks require pass phrases to connect. Theoretically then no smart TV would be able to connect anywhere.
Living rurally I am fortunate that no neighbors live close enough for any computer device in the house to roam and find open wireless access points. I do not know how I would prevent roaming if living in an urban area.
I have read that some smart TVs are designed not to function at all without first making a connection to the vendor mother ship. Much like the first time a person powers on a preinstalled computer and has to agree to the license agreement. The only recourse is avoid such products.
Possibly in 5 or 10 years vendors will take security seriously with IoT devices. I doubt that will happen until after some people are sued and lose. Or after people die as a result of poor security in a device. Or perhaps DDoS attacks start crippling the entire Internet.
Even if security is addressed, I have little hope for curing the sick desire to mine data from users.
A picture of that future is possible now. When I first powered on my Asus RT-A66U router, I was asked to change the login name and password. This little trick provides the illusion of a vendor thinking about security. Indeed, most of the router hacking that occurs is possible because people do not change these two default parameters.
The sleight of hand is this router still phones home. Not to forget that several ports were open and hackable. This will become common with IoT devices. The firmware will be designed to require users to change login names and passwords. This will be conceived by non technical people as “good” security. Perhaps the firmware will have no such options at all, thereby forcing users into automatic updates only. In either case the caveat is the device will data mine users to Hell and back. Various ports will be open. If any of these devices are hacked then the device becomes part of a botnet.
As the IoT becomes prevalent in the market in the upcoming years, I suspect people who do not want such products will become a minority. Buying “dumb” products likely will become more challenging and possibly impossible with certain product types.
The part of this discussion that haunts me is preventing this madness will be possible only to those people who have better than average networking skills.
I use separate subnets and VLANs to isolate trusted and untrusted devices. My current network configuration probably is more secure than many home networks. Yet I am uncomfortable with the idea that I might have to someday further expand the network simply to keep IoT devices off the network as well secure the devices from any Internet access at all.
When science fiction authors and enthusiasts envisioned a future including smart homes and devices, they never conceived that such devices would be used as tools to hack everybody or intrude on the privacy of owners.
This is not the kind of world I want to live.