Computer Security Expert Witness On “The Internet Of Things”

In The Internet of Things, for Better or Worse, computer security expert witness Steve Burgess writes on networked devices. Burgess Forensics has offered computer forensic and electronic discovery as well as expert witness testimony since 1985.

“The Internet of Things.” Sounds like a carnival ride or a zombie movie doesn’t it? But it’s not that and it’s not a new idea. Bill Joy of Sun Microsystems was talking about networked home appliances & devices at the turn of the last millennium when he announced the advent of Jini, Sun’s java-based network architecture for connecting said appliances. The Internet of Things is nearly the same concept – networked devices, with the added feature of being accessible from the Internet.

What kinds of devices make up the Internet of Things (“IoT”)? Anything Internet-connected, which can currently include everything from computer to coffeemaker, from range to refrigerator, from baby monitor to burglar alarm, from car to crockpot. And because they’re Internet-connected some people are afraid that these devices may be subject to malware that will cause them to become zombies.

And indeed, unauthorized use of internet-connected devices has already begun. Around the end of 2013, about 100,000 such devices were used to send about 750,000 spam messages. Seven messages per device is not much, but it is indicative of a real problem. And the low number per device may have been by design, so as to avoid detection. What to do?

It’s bad enough to have to go set your clocks after a power outage or when daylight savings time rolls around. But who has the time or the inclination to install antivirus software on their toaster and a dozen other household machines? How would you even do it? One solution would to require such wireless devices to check in with your home computer on a regular basis, whereupon updates to the appliances’ security could be automatically downloaded. Much like Microsoft Windows Update, it could be automatically installed whenever new malware is detected, and we know that nothing ever goes wrong with Windows Update.

Yes, there are likely to be some unforeseen events. Most will be along the lines of the room getting too warm or the coffee too cool. We may hear of events like a hacker unlocking all the doors remotely and walking in at his leisure. We may see sites full of kiddie scripts allowing teen geeks to turn on your bathtub to overflowing as a prank.
It might be time to hire a Roomba trainer, or hope our little toaster is brave enough to come to the rescue.

Connected appliance vendors will have to harden and update security. There will be messy errors along the way. Devices may still get used to send spam, and certain applications, like alerts to take your meds & the aforementioned door locks will need extra security measures. Amongst the enhanced convenience of automated shopping lists, your car making an appointment with your mechanic, there will be some mishaps that are likely to be mostly sound and fury with little actual damage. Your fridge does not hold your business records or your life history (although it may know when you are bingeing on Ben & Jerry’s). That data will still lie in your computer or your smart phone, devices which are well-ensconced in their ongoing battles against malware. And the big targets for stealing credit info will still be businesses and stores like, well, Target.

Yet, individuals do get targeted by stalkers. On-board data storage capacity in home appliances may be minimal, but still may get stuffed by those attempting to hide – or illicitly share – information. While common IoT capabilities may be relatively minimal, logs of times and dates of access and file markers will become important in forensic examinations. Who will the testifying experts be for such connected devices?

By and large, the techniques and skills needed won’t vary dramatically from the skills currently possessed and being used by computer and network forensics experts today. In-home router logging will be a richer source of evidence, and IP addresses galore will be stored both by the appliances, and the routers and computers though which they are connected to the world. It is likely that forensic software and hardware vendors will design IoT-specific tools for civil and law enforcement forensic specialists alike.

And while I’ve made light of many of these potential device errors and misuse, it is certain that vendors will need to come up to speed quickly on making such machines secure, or lose market share which will prod them into action much more than gentle ribbing by articles such as this. New FTC rules will surely come to pass that may put some bite on manufacturers that do not security-harden IoT appliances.

The Internet of Things is already in our cars, in our hands, and increasingly, in our homes. In a very few years it will be a market worth trillions of dollars. The spoils will go to vendors who make networked Things that are and remain simple but safe, and opaque to those who do not belong.

Read more: Steven G. Burgess.