What makes the Internet of things cheap also makes it insecure

By Adam Tinworth

08/11/2016 | Jean-Louis Gassée, a former Apple executive and writer at Monday Note has published a long piece, exploring the deep problem of security and the internet of things. We looked at similar issues over the weekend.

Gassée digs deep, though, into the reasons for this security problem. And it's all down to how cheap off-the-shelf components make manufacturing connected devices - and how little consumers care about upgrading them.

Your computer module suppliers have sold millions of identical building blocks to your competitors and other Consumer IoT dreamers: DVRs, smart locks, weather stations, lighting systems… Finished products are sold to technically unsophisticated consumers who ignore updates or forget their logins and passwords. The module makers have anticipated this predicament and designed in a backdoor, a login/password combination that allows tech support to remotely take control and make the user happy.

The dark army of zombie connected devices

And why is that a problem? Because once hackers have cracked one of a particular range of devices, the've •cracked all of them* - and can pop malware on there whenever they want.

The pirates have taken over the ship. They upload software to your unsuspecting device and turn it into a weapon that’s part of a massive Denial-of-Service (DoS) attack. Your security camera has been conscripted into an guerrilla army that incapacitates a website with an overwhelming volume of requests.

And that's exactly what happened just a few weeks ago:

FRIDAY MORNING IS prime time for some casual news reading, tweeting, and general Internet browsing, but you may have had some trouble accessing your usual sites and services this morning and throughout the day, from Spotify and Reddit to the New York Times and even good ol’ WIRED.com. For that, you can thank a distributed denial of service attack (DDoS) that took down a big chunk of the Internet for most of the Eastern seaboard.

And yes, it was internet of things devices that took them down.

Better to be slow and secure

Ironically, many people criticised Apple for making its HomeKit standard for connected devices too demanding of security, leading to delays in devices being rolled out.

So far, only five companies have launched HomeKit-certified smart home devices. What’s the hold up? Apple has thrown a plethora of challenges at hardware makers, and some developers say one of the biggest is complying with Apple’s strict security requirements on Bluetooth low energy devices.

As John Gruber points out, that stringency is begging to look distinctly prescient.

We need to get on top of this as consumers, as manufacturers and - most likely - as legislators. Otherwise, the danger is that the internet of things becomes a thousand little back doors into our home. And some of those backdoors are in precious place indeed - like a baby's nursery.

That was three years ago. And yet, things haven't improved.

Photo by Jared Tarbell, and used under a Creative Commons licence.