The Internet of Things: Resistance Is Futile, But Resilience Is Fruitful
CONTINUING LAST FRIDAY'S THEME OF WHO'S-SPYING-ON-YOU, A DISTURBING ARTICLE FROM CBS NEWS HIGHLIGHTS HOW YOUR SMART PHONE CAN BE USED AGAINST YOU IN A VARIETY OF CRIMINAL/NEFARIOUS WAYS. What this reminds us is that, per the security expert cited in the story, we're all basically carrying around a mini personal computer in our pockets all day long, and that can be as disastrously hacked as any desk or laptop. Indeed, it can be far worse because of the camera, video, and recording capacities that we tend to view primarily as standard technologies kluged together in one unit, when they're all – to varying degrees –accessible to hackers via the software.
Some highlights from the piece:
Popular apps on your smartphone can be convenient and fun, but some also carry malicious software known as malware, which gives hackers easy access to your personal information.
A security firm found that between 75 and 80 percent of the top free apps on Android phones or iPhones were breached. The number jumps as high as 97 percent among the top paid apps on those devices.
Two caveats can be offered.
- There is the argument that mobile devices are more secure than personal computers and servers, because they're less open (a countering argument being that PCs and servers are targeted far more because that's where the good stuff is – i.e., the data).
- Many experts will also draw a distinction between Android phones and iPhones in terms of architecture and hence security.
With my limited technical knowledge, I'll buy both. But here's the thing, with the blossoming Internet of Things, the number of devices grows fantastically, and the security features built into all those devices tends to be less comprehensive and robust, primarily because these devices are designed for consumers versus enterprises, meaning ease of use and access are paramount. Thus, as we rapidly build out the Internet of Things, we create sort of a wild-west frontier that surrounds all the critical infrastructure upon which these devices depend, allowing for a radical expansion of attack vectors by criminal and malicious actors.
That's certainly not an argument against pursuing the Internet of Things, but it does say that we need to build it out with more care and vision regarding the resilience of the critical infrastructure being increasingly exposed. In effect, our critical infrastructures are going to be subjected to an evolutionary leap of sorts, so we either adapt them in turn (keeping pace), or we suffer new and worse vulnerabilities.
Back to the story and quoted "cybersecurity expert Gary Miliefsky, whose company SnoopWall tracks malware."
Milifesky said when you download an app, you also give permission for it to access other parts of your phone, like an alarm clock app that can also track phone calls.
"You think an alarm clock needs all those permissions? Access to the Internet over wifi, your call information, calls you've made, call history, your device ID? This to me is not a safe alarm clock," Miliefsky said.
And there's the weather and flashlight apps that he says exploit legitimate banking apps to capture information, as he showed us in a demonstration of what could happen when someone takes a photo of a check to send to their bank.
"The flashlight app spies on the camera and noticed the check and grabbed a copy of it. Shipped it off to a server somewhere far away," Miliefsky said.
Last year the group FireEye discovered 11 malware apps being used on iPhones that gathered users' sensitive information and send it to a remote server, including text messages, Skype calls, contacts and photos Apple fought back by removing the apps and putting stricter security measures in place.
"They get at your GPS, your contacts list...to build a profile on you," Miliefsky said.
Some apps are simply collecting information for advertising purposes. In 2014, the Federal Trade Commission settled a lawsuit with a company over its popular Brightest Flashlight app, alleging it transmitted consumers' personal information to third parties without telling them.
But Miliefsky said he's found another flashlight app that can do much more troubling things.
"This one turns on your microphone in the background, listens in on you, and sends an encrypted tunnel to a server we discovered in Beijing," Miliefsky described.
That certainly gets your attention, yes?
Whether or not we buy into the darker, more geo-political aspects, it's clear that we're all being subjected to a game-changing degree of personal transparency, and that, in political terms, the question of who's watching the watchers is just starting to be explored.
Now, a lot of people will respond to these developments by attempting to reduce their exposure, just like a lot of enterprises have attempted over the years. But that approach typically comes with too big a price in terms of lost efficiency, convenience, and sheer opportunity. Building more firewalls as the Internet of Things comes into being is not the answer.
In short, while resistance is futile when it comes to the Internet of Things (and the Borg, of course), resilience becomes the new prime directive for individuals, families, enterprises, communities, governments, and nations.