The Internet of Things (IoT). The rise of the smart light bulb!
Earlier this week I visited the IP Expo show at Excel in London, these events are a chance for my colleagues to collect vast quantities of freebies (plastic junk) and to learn what the latest trends in our industry are.
With the manufacturers, covering 6 technology areas, the 2 biggest themes were very much about Cyber-security and GDPR (General Data Protection Regulation). I will explain what this has to do with light bulbs in the next few paragraphs. It’s also very telling when the vast majority of delegates group around the Cyber Security and GDPR stands.
So let's clear up a few points, what is this term “IoT”, quite simply “Internet of Things”, the connection of billions of devices to the Internet. These are typically known as smart devices.
What has this got to do with Cyber-security and Data Protection? The fact is they go hand in hand in today's data-driven world.
What was refreshing to listen to were the ideas about smart devices from Mikko Hypponen the Chief Security Officer for F-Secure. I will try and summarise this and add some thoughts of my own on this topic.
First, let's consider the “Hypponen Law about IoT security”
Hypponen's law: Whenever an appliance is described as being "smart", it's vulnerable.
As we move forward through this second Internet revolution the embedded technology that allows our devices to go online becomes cheaper. Hence more and more devices are coming online, these are both personal and business devices and include fridges, toasters, tv’s, sports trainers even light bulbs, pretty much any electrical device will likely have embedded technology that will give it Internet access in the near future. Just take a look at the Bosch website for a start.
Each of these devices will be collecting information about our habits, what we do, and how we do things as well as sending back diagnostic data, logging faults and telling the manufacturers how well the device is working.
This brings together the two themes of the show this year. The collection of personal data (GDPR) and how we protect that data and the devices collecting it.
We are adding more and more devices into our homes and businesses, opening up both our personal and business lives and providing more information than ever before.
So what has this got to do with you and what do you need to consider?
How do you protect those smart devices from compromise?
With more smart devices the risk and vulnerability increases, refer to the Hypponen law above! The more vulnerabilities that we have the more likely that a compromise may occur.
Within our homes, it may mean that a loss of data could also lead to a loss of identity and financial loss and of course our personal privacy. The financial cost could be from ransomware selling back our own private data to us.
A compromise could lead to a system failure, your lights turn off, your oven won't turn off, everything in the fridge defrosts. The idea I liked the most? Your car drives off automatically in the night to be stolen by a gang of thieves who didn’t even have to visit your home.
Within our businesses, this may mean a loss of data, and now we are back again to GDPR where we may face fines (% of turnover) and loss of business as well as reputation.
The worst scenario is a loss of life due to a compromise.
The first thing is that we need to be careful what devices we buy, and how we install them. This is probably easier in a business than it is at home. We have gone through a period when things have become simpler and easier to install so we have done just that and started filling our homes with these smart devices. I like the ability to watch the BBC Iplayer on my TV if it wasn’t a smart TV that wouldn’t be possible.
In a business network, we typically separate the types of devices on separate networks that we can control and monitor. A common example of this is the CCTV system and modern VOIP phone system are normally run on separate networks and may share a common Internet or separate Internet connection.
In the same manner, we may decide to place these smart devices on a separate network so that they can be more easily monitored and controlled.
What are the side effects from a loss of service?
A loss of service could have the same consequences as a compromise. This is difficult to predict and every device will have a different response to a loss of connectivity. In the most basic cases, it may purely be a loss of functionality causing inconvenience. But I'm sure we can all think of scenarios where a loss of service could lead to a loss of life. An electrical appliance fails to turn off and a fire occurs due to overheating for example.
What data is being collected and how is it being used?
I think more people will start looking for statements from the vendors of smart devices covering these items. We have become so used to ignoring terms and conditions and just clicking Next, Next Next, to finish installing something that we will need to take more care.
Someone is collecting that information and they had better be keeping it safe!
If you have any concerns or thoughts on this then please get in touch.