Spying has become such a commonplace that it is barely news any more. If newspaper reports are to be believed, then the only person in the world who has never been spied upon is Donald Trump, but he still thinks people are tapping his phones. Thanks to Ed Snowden we already knew that the NSA and GCHQ, the electronic intelligence agencies of the USA and UK respectively, are gathering huge amounts of data about everybody. We also learned they both do sophisticated work to hack into devices and undermine encryption. More recently Wikileaks revealed the extent of the surveillance tools developed by the United States’ Central Intelligence Agency (CIA). These tools allow the CIA to…
…compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”
Perhaps the ultimate Big Brother revelation was that the CIA has the ability to turn televisions into microphones, even when they seem to be switched off. There used to be an old joke about the difference between the USA and the USSR which went something like the following…
Here in America, everyone watches television. In the Soviet Union, television watches you.
We might long to return to simpler times when only Soviet televisions were bugged! But it keeps getting worse. Now we buy devices because we actually want them to listen to us, like the Amazon Echo. Then we act surprised that the things we say are being stored on somebody’s server and might be accessed by the police when investigating crimes.
The technology of voice interfaces gets better all the time, and so we will spend a lot more time talking to an increasing range of devices connected to the Internet of Things. This is inevitable; there is no need to waste money and space on display screens and buttons if we can simply tell a machine what we want it to do. Human beings already talk to each other, so speaking to devices will come naturally. Microphones are small, which makes them ideal for the tiniest devices. But we are going to kill privacy by adding microphones to a rapidly multiplying number of small devices which are all connected to the internet. That is because we know that IoT devices will not be secure. If you do not believe me, then listen to the experts…
“The level of security in the IoT world is very low.”
“The probability of a successful attack is approaching 1.”
“Apple is a hundred times more secure than rivals, but we don’t know how to motivate those rivals to improve.”
“We are in for some very severe security problems in the near future.”
These quotes came from the “Connected Devices and Threats” panel at the recent Wearable Tech Show 2017. The speakers on that panel were: Nick Hunn, WiFore CTO; Dr David Everett, Microexpert CEO; Nicolai Landschultz, Director of Indigozest Ltd; and David Bairstow, VP of Product at Skyhook. They also agreed that theirs was ‘the most important panel’ at the conference, but you would not guess it from the number of empty seats in the room. To summarize, four experts with plenty of technical know-how who also care passionately about security are convinced that people will suffer by being surrounded by IoT devices which do not respect their privacy and do not protect them from harm. Whilst the panel noted that customer awareness of the risks is important, they questioned the lack of clarity over who will regulate the flow of data and connection between IoT devices. They also struggled to think of ways to encourage more investment in security.
If the situation sounds grim, then it should. We are working in an industry where many are behaving like irresponsible children. They race towards the shiny exciting new toys and convince themselves they will be a source of profit and happiness, just like a kid gleefully unwrapping the presents on Christmas morning. But who is left tidying up the mess when those toys are left lying all across the floor? Nobody wants to be the sensible parent doing the boring chores created by an immature industry. But somebody has to do it, and whilst parents take on their burden because they love their children, professional caregivers expect decent payment.
Too many of our conversations about security get stuck in a hopelessly repetitive cycle: execs do not prioritize security, regulators fail to do a good job, customers do not know the risks they take, so execs remain complacent… However, there is a crucial fourth party who keep being left out of the loop. We need to engage with investors too. It is their money which pays for everything, including security. I do not need to be an engineer to know I should not borrow money to build an office block which will fall down, and it is a bad idea to invest in manufacturing a car that has bad brakes. So why would I invest in technology which will crash the market for IoT – and for every connected business – because of the reaction when customers discover that the intimate details of their private lives have been shared with crooks, enemies, neighbors and lunatics? And those private details will be shared with the government too (though some of you will consider your government to have been covered by one or more of the categories listed in the previous sentence).
If you think the evils of cyberstalking, jihadi YouTube videos and revenge porn are bad, wait until somebody can take a recording of all the goofy things you say whilst watching the TV and run it through software that looks for material to embarrass or blackmail you with. Or uses the microphone in your bedroom to check how long you make love, and whether it was with your spouse. Or targets your home for burglary because your fitness aid is telling the world that you are currently running on the far side of the park. Then imagine the rapidly falling demand for the devices that spied upon people, the costs of settling big law suits, the new burdens that will be placed on the small number of big companies which will transmit or store the relevant data… I could go on, but hopefully you get the picture by now. This is not just about bad security. This is about bad business.
Benjamin Franklin said that experience keeps an expensive school, but some learn at no other. Cost is the key factor in the debate about security. Some want to spend less on security now, but that is a false economy. If we do not increase expenditure on security now, in order to safeguard the privacy of customers, the costs will be far higher at a later stage. We may learn from failure, but we may not be able to afford its bill. Who ultimately endures the cost of lax security? Customers may suffer and employees can be fired but eventually the cost hits the shareholder. If the security industry wants more money it needs to do more than appealing to execs, regulators and governments. It needs to directly persuade shareholders that spending on robust IoT security is as necessary as performing fire drills or taking out insurance. If not, the internet of things will destroy our privacy long before we realize how much we have lost.