On the Internet of Things

I hate the term “Internet of Things”. I say “Internet of Things” and “IoT” because everyone else does, but I don’t like it.

Not everything needs to be online. There’s a Twitter account called @InternetOfShit which posts regularly on this topic.

The first and most important reason why this is a bad idea is security. The Internet is planet-wide, where everyone with a connection is a potential threat. You really don’t want personal and private devices viewable, and possibly controlled, by just anybody.

The second problem is ownership, which also touches on privacy to an extent. Buying devices that rely on third-party providers (including the “trustworthy” ones like Google) means your private stuff is viewable by employees of those companies.

It also means that you could end up with useless equipment that cost a lot of money if the company shuts down or gets sold, and now a marketing firm who buys the assets has access to pictures of the inside of your house, which they will sell indiscriminately to defray expenses. If that doesn’t terrify you, please stop reading, turn off your computer or mobile device, and never visit my site again.

I won’t even get into how white-label Internet-connected cameras (manufactured inter alia by Sony, famous for being hacked many times) need to be rounded up and set alight, because their passwords are 888888, cannot be changed, and can be easily accessed remotely. The prevailing advice from security experts, in fact, is to toss these devices out.

A lot of crime is opportunistic. A database containing credit card numbers, personal information, nude photos, gamer tags, digital currency, whatever it may be, is attractive to certain people who have the technical skills to exfiltrate that information and sell it on to someone else. Rarely will you find that the people stealing this data are the ones using it. Firstly, that’s liable to get you caught, and secondly, the exfiltrator (or “hacker”, an unfortunate use of a perfectly cromulent word) just needs the money, or to prove his or her skills. The big paydays come from large data dumps. Sony, LinkedIn, Tumblr, Adobe, Yahoo, Yahoo (yes, twice), the list is endless.

So what’s the solution? With the number of devices growing exponentially every year, there’s no getting away from the convenience of having lights that turn on when you get home or a video camera to see if anyone is stealing your FedEx packages.

Ironically, the perception of extra safety and security provided by the devices is thwarted by their inherent lack of security. Manufacturers are racing to get into the market, forgoing testing. “Let the customer be the beta tester” is Google and Facebook’s mantra. Many companies are to blame; I’m not just singling these two out. Legal fees are clearly cheaper than research and development.

Which brings me to the point of this piece: building your own “Thing”. Do you want a camera watching your home while you’re away? Build one. Companies like Raspberry, Adafruit, and Arduino (to name just a few) have brought extremely cost-effective computing to the mass market, and relatively easy-to-use programming guides if you’ve never written a line of code in your life. Some of them even run Microsoft Windows!

Of course, building your own camera means that you can’t rely on Google or Sony to record and store your video, so you need what we call a DVR, or Digital Video Recorder. It didn’t help that cable and Internet-based television companies produced devices they also called DVRs, so there is some confusion when you search online. Fortunately the television kind is now called a PVR.

A DVR in this case is a hardware device with a number of connectors for security cameras to plug into. In the last ten years, this industry has seen impressive advances, where cameras are now wireless, connecting via the network, and DVRs can just be software.

In other words, you can buy a relatively inexpensive network-attached computer for your home (traditionally called a NAS, or network attached storage), run DVR software on it, and connect your Raspberry Pi Zero to that. Then, using a (free!) VPN (virtual private network) connection from your phone over the Internet to the NAS, you can view the images or video from the camera, and it’s all sitting in your home, away from prying eyes.

What you’ve done, then, is made your information harder to find. Security by obscurity. The chance of being hacked is still there, but the payday is much lower for a hacker if you use a good VPN server and follow best practices when it comes to securing your network.

One example is the principle of least privilege. What that means is, your camera that you’ve built will have its own security settings, away from, say, your desktop computer. If someone did happen to break into your VPN, and then break into your camera, they wouldn’t be able to hop onto yet another device on the network without doing a bit more work, because the security settings won’t work on any other device on the network (think of it like having a separate password for each device). Breaking this security is time-consuming, and working on stealing billions of passwords from Yahoo is much more lucrative.

Another example is layering. You don’t want to keep your Things on the same network as your computers. Even if they’re physically connected to the same Ethernet network, or everything is on Wi-Fi, there are inexpensive ways to partition your devices onto separate wireless networks, using the same router (which of course you’ve purchased separately, and sits between your cable company’s router and your network).

Yes, it takes a bit of effort to set up and secure your network. Yes, it costs more money. Yes, it’s inconvenient to trade security with ease of use, but the benefits are numerous, and I would suggest that it’s the minimum price of being part of the modern connected world. The manufacturers are responsible for creating ways to safely secure their devices, but we need to make sure we’re using those tools to keep ourselves safe from 7 billion (and counting) potential hackers.

It’s why in South Africa, to avoid being burgled, we just had to make sure we made our wall higher than the neighbours’ walls. If you’re going to be the family with the pretty little fence, welcome mat, and unlocked front door, don’t be surprised when you find a stranger going through your sex toys.

Published by

randolph

Connect with me on Google+