By Dip Patel, CTO
Welcome back! You must appreciate the importance of security as much as I do.
Let’s recap…
We have covered some of the dangers caused by the lack of privacy on the web and we dove into the reality that more and more of our lives are being connected to the internet, which increases our vulnerability exponentially.
While this is our grim reality today, let’s focus for a few minutes on our future.
We know that technology is constantly evolving and changing. We also know that the biggest threats to home security can be minimized or eliminated.
Here are four threats and solutions to consider:
Security Threat One: Convenience Trumps Security
Typical home networks can have 50+ devices connected to them — and more and more of these devices are designed to control and interact with each other as well as multiple users. The conflict resides when you have to choose between making something secure or making your life easier.
Your phone can grant access to a home, security system, medical and bank records. Oh, and track the location of all of your family members. Let’s not forget that one.
A doorknob can open remotely for your dog walker and your refrigerator can tell you when you’re out of milk.
This all sounds great! But, you have to remember that in order to make something more secure, it typically requires a degradation inconvenience — and people choose convenience every time. What good is a remote door lock if you can’t unlock it remotely!
In the world of computing, this is what made the initial router firewall so brilliant. It didn’t bother most people because it provided additional security without deteriorating convenience. It became an issue for installing or running specific applications, but those people worked around it (remember trying to get online gaming working in the 90s?). Security came first.
Not any more. Now, convenience and user experience (UX) steers the boat, and security is surfing in the wake trying to keep up. In many cases, security gets turned off since “it’s a pain in the ass.” After all, when was the last time you received an “update” notice on a device and got excited — “Wow, my device just got more secure!” If you’re being honest, it probably sounds more like “WTF? I’ll do this later.” Am I right?
But in this new world with billions of bots constantly testing for open nodes (any way into your network), “later” is not an option. Most of the time, the devices that don’t update automatically never get updated at all because people forget about them. This is why good companies force updates.
In 2012, it was found that 70% of popular security cameras are susceptible to brute force attacks — the most basic hack. It’s also very easy to prevent — set up a rule that says after three wrong password attempts, you get a 15-minute time out. Done. The irony is palpable…security cameras that an infant could hack.
Here are some google search strings to show you compromised webcams around the world. Click one, and you can find webcams that are open for you to see, and in many cases, for you to control. Scary! There are software bots out there that do nothing else other than find these feeds, record them and put them through visual interpretation and recognition software.
To compound this, most protections that exist in current network security are focused on blocking external attacks. If a webcam on your network becomes compromised and becomes a bad actor, it can wreak havoc on your network — and since we’re so connected now — wreak havoc on your life.
And look at some of the notable crazy ransomware attacks happening. Ransomware is software that infiltrates your network, encrypts all of your data and holds it ransom until you pay. Just this summer, the municipal governments of Baltimore, MD and Riviera Beach, FL were both held hostage due to ransomware.
So remember, the more devices you have, the more vulnerabilities you have — and the repercussions of an attack, and the incentives for the attacker, are higher than ever. (It’s a markedly different scenario then you have with blockchain!)
Security Threat Two: There is a lack of discipline in hardware engineering
Okay, now I’m going to go Clint Eastwood in Gran Torino on you. “In my day,” yadda yadda yadda…
Back when I graduated from undergrad (shoutout to Drexel!) — it took a lot of time, knowledge and money to produce a hardware product. Most of the technologies we take for granted these days were not even invented yet, or very expensive and very inefficient:
- Plug and Play radios (WiFi, LTE, Bluetooth, etc.)
- Plug and Play computers (SoC, Raspberry Pi, etc.)
- Plug and Play hardware controllers (Arduino, etc.)
- Plug and Play power systems (USB, PoE, power conditioning, charging, etc.)
These technologies took years of engineering to develop protocols and hardware at scale.
Recall from my previous blog, the proliferation of smartphones with multi-touch, coupled with ubiquitous 3G internet beginning in 2008. As a result, lots of components that used to be state of the art and inefficient became the opposite — commodities and quite efficient:
- Low Power, Mobile Friendly Microprocessors
- Low Power, Mobile Friendly Radios
- Low Power, Mobile Friendly Memory
- Low Power, Mobile Friendly Power Conditioning
- High Power, Mobile Density Batteries
One of my responsibilities when I worked at Lockheed Martin was to evaluate remotely operated vehicles. A drone, for example. When I left, I remember key guidance and propulsion technologies within drones would cost thousands of dollars to buy and integrate. Things like IMUs, accelerometers, gyros, etc. This would drive the price of a drone up into the seven-eight figure realm.
Just five years later, I could buy a toy drone with similar guidance technology integrated for $20 dollars on Amazon!!
Nowadays, you can go into stores like You Do It electronics, Microcenter, or Frys and buy enough plug-and-play gear to invent awesome hardware, all controlled by easy-to-write software like Python. It’s literally something that can be done over a weekend hackathon. Here’s someone who built a drone using shelf components and sticks.
Your creativity can be unleashed. You don’t need to understand RF (Radio-Frequency) engineering to build a network anymore. You don’t need to understand power conditioning to use a battery system. Need to control servos and motors? Cool, here’s a bunch of plug and play stuff to do it. And, there are hundreds of hours of amazing content online to give you tips on how to get started. Or you can join one of the hundreds of affinity groups on Slack or online forums for support and collaboration.
This has led to some amazing invention platforms like Kickstarter, Indiegogo and Etsy just for people who invent cool stuff and want to quickly get it to market.
But there’s a problem — this hardware stack is a house of cards. Each part of the stack has flaws that need to be maintained and updated to keep pace with evolving security threats.
Normally, this issue has an upside in that it can lead to an incredible, highly active open source community, like Raspberry Pi. This community collaborates to maintain security — but again, it’s up to the person who integrated the technology to nudge the customer and remind them to update everything.
The other problem — the lowest cost components usually wins when developing a new product. So, if I can replace my Raspberry Pi with a smaller, more optimized computer for the task, I will probably do that. The issue — and it’s a big issue — is I may not understand the supply chain and engineering that went into that component. Furthermore, no one holds these hardware manufacturers accountable for things that are critically important, like security.
A product can be invented, deemed safe and sold — even if it has a gaping hole in security. This plagues companies large (Google, Samsung) and small (Cayla).
We’re trying to force hardware into a faster, more agile development cycle even at the cost of discipline and security. This leads to a surge of shoddy hardware — and most of it is deployed inside your home network where it can cause the most chaos and destruction.
This is such a big problem that it took down ⅓ of the internet in 2016 when a botnet with over 100,000 compromised IoT devices created and conducted a DDoS attack on Dyn — the internet’s largest name server. It took down sites such as Amazon, Airbnb, BBC, CNN, Visa, HBO, Spotify, Reddit, and many others.
Security Threat Three: More and more devices are subsidized by the data they collect
At my previous company, I became painfully aware that new hardware companies were facing a massive competitive disadvantage. When you’re building a hardware company, margins are king — especially if there’s no subscription fee attached to the hardware.
Here’s a quick Business 101 lesson: If I build a device and it costs me $100 dollars to make, I want to target very high margins to ensure my company is viable. For that reason, I would likely price my product at $299 or even higher. And remember, you need to factor in engineering, marketing, sales, packaging, shipping, returns, warranty, etc.
Normally this is fine since most companies are playing the same game.
The proliferation of connected devices is changing the playing field, however. I used to say to my team back in 2012, “The last place that hasn’t really been quantified is the deep sea, and the home/building — and the home is far behind.”
Companies whose entire business model is data (Facebook, Google, Amazon) saw a huge growth opportunity — collect as much data about your home, and how you live in it.
So what did they do? They released hardware at zero or negative margin and they packed these devices with all types of extra sensors with the sole purpose of collecting data.
Let me state that another way. Companies made devices more expensive, by adding more hardware and sensors that literally added zero value at launch. The reason people didn’t think about it is because they didn’t have to pay extra for it!
These companies are building incredibly high fidelity hardware spy gear, and selling it at a pittance solely to get sensors into your home and collect that data. There’s no way a smaller company that doesn’t have billions in revenue at their disposal can possibly keep up or compete. It’s a huge negative feedback loop.
Did you know your chromecast has extra ultrasonic microphones and speakers in it? Did you know your Nest thermostat shipped with a secret microphone? What’s in your latest Amazon Echo device? Do you really know?
About two months ago, I installed Pi-hole on my home network. This device captures and quarantines internet advertisements, and other nefarious traffic.
Here’s a screenshot of the current dashboard, showing all the intercepted traffic — and it shows that over the past 24 hours almost 7% of traffic was blocked, which makes sense. (This number is much larger when I’m home. 🙂
I found lots of cool stuff when I first installed Pi-hole, but I was shocked to see that Google’s chromecasts were all phoning home an alarming number of times, and it was bypassing my protections!
The way that Pi-hole works is by plugging into your home router (the central point of all internet traffic in your home), then capturing and blocking all traffic to specific places (like known ad servers, etc.). On a mobile app, for instance, it will request an ad, but the Pi-hole will just block that traffic.
Not only was Google bypassing this, but there’s also no way for me to change how the chromecast phones home — meaning I could do nothing to prevent this traffic from leaving my house other than setting up new custom firewalls.
Instead, I unplugged them all. They are sitting in a box waiting to be donated.
Security Threat Four: There is no recourse for doing a poor job of security, so why bother?
OK. This one really gets me fired up! There is no accountability out there for lack of security. If a nanny cam gets hacked — due to poor hardware implementation, there is no recourse.
If you find out Google has been collecting occupancy data for every room in your home with a chromecast in it, you really can’t complain. They are protected by archaic terms of service and lack of understanding from the market.
There is little to no recourse for companies who collect extra data or cause a security breach. Because of this, there’s nothing stopping them from doing just that, especially for companies whose entire business model revolves around data. In fact, they have a fiduciary duty to do so.
This basically means the onus is on YOU, the consumer, to keep yourself secure.
In Conclusion: The Perfect Storm. The Perfect Superstorm.
You have more and more devices being deployed. Each of these devices has more power due to the convenient means by which we interconnect them. These devices are inherently insecure. Large companies are incentivized to collect more data and as such sell these devices for pennies.
And there is no recourse.
This is why cities are being held for ransom (Baltimore and Florida). This is why people get hacked (Apple Cloud, Ransomware for people). And, this is why large companies whose sole purpose is to securely store sensitive information get hacked (Equifax, OPM, and Capital One).
Blockchains are different
“The beauty of blockchains is that they get inherently more secure as more devices are added to the network.”
While currently this model is only used for consensus of simple things — such as currencies — soon these types of architectures will be employed for many other use cases including medical records, identity, bank records, etc.
By removing a centralized area where all of this data is stored (and profited by), we create a more stable and secure system without sacrificing convenience.
For now, change your passwords, keep an eye on your devices, and watch for personal attacks surfacing. The only other people incentivized to understand your security are those who seek to exploit it.
