Cuckoos in the Nest


More speed bumps on the road to the Internet of Everything

Nest, the popular smart thermostat and member of the IoE club is apparently hackable on the hardware side according to a team of researchers at UCF. By itself not necessarily that useful, but once you do have access to a device inside the home network it can be used as a beachhead for further attacks. A precis of their findings is found in this Forbes article and they’ll be doing a full brief at Blackhat 2014. I don’t know whether they looked at hacking in via the physical wi-fi layer but certainly like the kettle of doom there’s the opportunity for a shrink wrapped false flagging operation.

The problem with adaptive tools such as Nest is of course that they need to monitor what you’re doing, so by design they give insight into patterns of behaviour. The other big problem is, as Mark Rogers one of the Nest co-founders remarked, “When you have a big install base, you have a target on you” the attack surface of the IoE is, as they say, huge.

But this story is not really about security. Of more concern is that the UCF team also found that their Nest unit regularly sends back data to the parent company with no option to opt out of, let’s call it what it is, covert surveillance. Worse yet from privacy perspective Nest’s been purchased by Google, y’know that great force for good in the Internet. And as usual, we get the classic big data argument from the supplier that pooling this data allows them to improve their service and provide social benefits.

All of which may be true, but, while Nest may respect your privacy today and maintain a chinese wall arrangement with it’s great and powerful friend Google, that says nothing about what these two companies will do a year, two years or five years hence. People and companies change, but data is persistent. Data also gains value as it’s combined which presents an almost irresistible temptation to companies in the data mining business. And of course the black spectral shape of the NSA, or another of the five eyes, can always just co-opt your data.

So what to do? Well back in 1975 Jerome Saltzer and Michael Schroeder articulated the design principle of least privilege in their seminal paper on computer security, The protection of Information in Computer Systems. The principal basically states that programs should operate using the least set of privileges necessary to complete the job. From this perspective if data needs to be gathered and pooled to provide the required service then only that data that’s absolutely needed should be asked for, it should be made explicitly clear as to why that information is required with a clear go/no-go decision attached, and finally any data so acquired should be both anonymised and time limited. There’s a TAG on this for APIs, but the principals are the same.

Unfortunately I don’t see that commercial companies can address this problem with any credibility, however sincere the people involved may be, because fundamentally companies are closed and opaque entities accountable only to their owners, if that. Addressing the dark side of the IoE is in essence a job for government legislation, preferably with teeth, and maybe a shotgun. 🙂

Final thought, it is not inevitable that we end up in some oppressive cyberpunk dystopia, the future arises from choices we make today as a society let’s make the right ones.