TECH

Security experts take aim at the Internet of (unsafe) Things

Elizabeth Weise

USATODAY

Security experts worry that newly connected at-home devices will be a lot harder to keep safe than laptops or cellphones.

LAS VEGAS — The day is fast approaching when your thermostat, washer, even the light bulbs in your lamps will contain embedded computers so they can talk to you and you to them.

Having your fridge order more milk when supplies get low, your house cool before you get home and your light bulbs tell you just before they need replacing might be nice, but security experts say these connections, called the Internet of Things, carry with them the potential for catastrophe.

They could just as easily tell a thief that you haven't been home in a week, because the fridge door hasn't been opened.

At Black Hat, an annual conference of hackers and computer security experts taking place here this week, almost every panel seemed to contain some reference to this coming wave of connected devices — and their dangers.

"In about a minute to an hour, I can reliably unlock the door on a car," said Silvio Cesare, an Australian researcher for security firm Qualys. He presented his findings on Thursday.

This is no idle concern. On Wednesday the National Insurance Crime Bureau reported that thieves are using high-tech electronic devices to break keyless-entry systems that lock modern cars.

Cesare demonstrated a similar approach using a radio scanner to turn off a home security system that can be unlocked via a key fob.

A report by Hewlett-Packard released last week found that it's already a problem. Seventy percent of the "smart" devices investigated by the company had security flaws.

It's still not clear who is responsible for the security of the devices we buy. Is it the companies that build them, the stores that sell them to us or do consumers have to take on the task of making sure they're safe?

"Do you really want to have to run antivirus on your car?" asked Joshua Corman, a security strategist with Sonatype, a security software company.

He and others have created a grassroots group called I Am the Cavalry. They work on issues in which computer security intersects with public safety and human life, because, as they put it, "the cavalry isn't coming" to save us.

Of course, heavy industry has used sensors to monitor expensive and sometimes dangerous equipment for years. But great care is taken to keep those sensors off line. No one wants the temperature on the furnace in a steel factory to be hackable.

It's so important that many systems use what's wryly called an "air gap" between sensors and any kind of online connection, so "you need to physically walk into another room to access the Internet," said Saša Zdjelar, a software security designer who works with industrial systems in the energy industry.

While industrial users long ago created serious security protocols, the process is only now beginning in the world of connected consumer devices, says Zdjelar. Recently launched alliances to establish security guidelines include the AllSeen Alliance, the Open Interconnect Consortium and the Thread Group.

Security experts also worry that these newly connected devices will be a lot harder to keep safe than laptops or cellphones.

It's taken almost 20 years for the world to accept that security requires updates. Software pushes to fix problems come to our phones, our laptops and our tablets with sometimes annoying frequency.

We've learned the hard way that without updates, the more time that elapses, the greater the likelihood our computer will be hackable.

Americans may not be quite so keen to go around the house updating the software on their rice cookers or sprinkler systems.

That means that until the owner buys a new one, the old device keeps getting more vulnerable.

"I replace my phone every three years, but I replace my thermostat approximately … never," said computer security expert Bruce Schneier.

What happens when the company that made your toaster oven stops producing and supporting that model?

Overall, having someone hack the clicker to your ceiling fan doesn't raise big security issues. But if that same fan is linked to a network that can be controlled from a cellphone or a laptop, it's a different story.

In theory, someone could leapfrog from the fan to your computer system and move on from there.

"The greater the connection, the higher the risk. It's a balance," said Mathew Solnik, a security researcher with Accuvant Labs in Los Angeles.. "That's why we're working so hard now, so that in five years, when these products are out on the market, we've prevented that from happening."