Jennifer Lawrence and the Internet of Insecure Things

Could hacked Hollywood starlets inadvertently usher in a foundation of better security for the billions of consumer devices that are forming the Internet of Things?
Published: September 5, 2014

The emerging Internet of Things (IoT) is full of security holes—and it will remain so until the Internet itself is better secured. According to The Economist, in 2013 more than 800 million digital records, such as credit- and debit-card details, “were pinched or lost, more than three times as many as in 2012.”

Well before Tony Fadell made Nest the iPod of home thermostats, and long before Google acquired Nest for $3.2 billion, cyber-security experts were raising red flags regarding the vulnerabilities around Internet-connected devices. But as the number, form factor and ubiquity of Internet-connected devices mushrooms, so do concerns. Last year, Hewlett Packard‘s Fortify on Demand group, which offers security-testing services, initiated an awareness campaign around a top-10 list of IoT security vulnerabilities. This list ranged from security settings that lack configuration options to core issues around the insecurity of Web, mobile phone and cloud-based interfaces. This year, Fortify on Demand put its theories to the test, analyzing the security features (or lack thereof) of 10 popular devices in some of the most common IoT niches.

While the items were not named, their product categories were listed: television, webcam, home thermostat, power outlet, sprinkler controller, device-management hub, door lock, home alarm, scale and garage door. The upshot? The group found that 80 percent of the test devices raised privacy concerns or allowed weak passwords, 70 percent did not encrypt communications with the Internet of local servers, and 70 percent employed insecure user interfaces or lacked encryption for software updates.

The group concluded: “The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.”

As if security concerns needed any more validation, the focus of this year’s Black Hat security conference was—you guessed it—the IoT.

Then, over Labor Day weekend, something transpired that might truly force manufacturers of Internet-connected consumer goods to put their security plans into high gear: A hacker or hackers revealed nude photographs of Jennifer Lawrence and a slew of other young Hollywood and music stars.

The hacker or hackers explained, on a Web forum, that they had pulled at least some of the images through Apple‘s iCloud cloud-computing service. Apple put out a statement on Tuesday claiming that the stolen photos were not due to a breach in any of its systems. But a story on Wired.com‘s security blog (see The Celebrity Photo Hacks Couldn’t Have Come at a Worse Time for Apple) notes that an iCloud password-cracking software suite was released on a popular open-source software forum this weekend. (Sure, the average consumer should be far more concerned with the safeguards surrounding his or her financial data or home address online than about the safekeeping of spicy, personal pictures. But the latter, like it or not, attracts more headlines.)

If a password were to be hacked and personal information were linked to an IoT device—a smart thermostat, say, or a fitness tracker—is that a weakness of the system being hacked into, or is it a weakness in how the password architecture is designed? Both. If an IoT device sends personal data related to a consumer to the cloud, the security it uses to store that information in the cloud, and the security it employs on the IoT device, proper, are equally important.

This hacking scandal crisis also presents an opportunity for the disparate IoT industry groups that have emerged in recent months: the AllSeen Alliance (Sony, Qualcomm and Microsoft), the Open Interconnect Consortium (Intel, Broadcom and Samsung) and Thread Group (Nest and Samsung). They should get together and use their collective power to build robust security protocols around IoT devices—and their cloud server access protocols—before they hit the market, rather than after security holes are exploited. The AllSeen Alliance has built an open-source IoT platform, and the Open Interconnect Consortium has its own in the works. Thread Group, meanwhile, is focused on interoperability between IoT devices.

All three organizations address security, but they need to be working on that critical piece in unison. Plus, while Google is involved by association with Nest, one major IoT player is absent from these industry groups: Apple. And with the release of the iPhone 6 coming in a matter of days, the hacked celebrity photos come with very poor timing for Apple. (The personal-computing giant claims, however, that personal data collected through its HealthKit application, wherein health and fitness data is pulled from various Internet-linked sensors and fitness trackers, will not be stored in iCloud.)

Fortifying security measures might mean consumers would have to wait a few extra months for IoT products. But when it comes to mission-critical devices that could be weaker than the analog versions they are replacing—say, perhaps, mechanical door locks—it is time well spent.

When asked where we should draw the line on the current state of security measures protecting Internet-connected devices, Timothy Ryan, the managing director of Kroll, a cyber-investigations firm for software security, told Bloomberg TV: “It depends on what I’m trying to protect. If it’s the security camera outside my house, not a big deal. If it’s the locks to get into my house, that’s a bigger deal. So the security around those locks needs to be a lot more than [that] around the security camera pointing at my driveway.”

Ryan said he would definitely not trust a medical device linked to the Internet of Things, based on the current state of IoT security. What’s more, he even called for government involvement in such devices, suggesting an “electronic version of the FDA.”

Surely, the suggestion of government regulation will strike fear into the companies that are trying to speed IoT products to market.

Mary Catherine O’Connor is an independent journalist who writes about technology, as it relates to business and the environment. She is also a former staff reporter for RFID Journal.