Are our domestic IoT devices as just ‘devices’?
Are we taking home automation IoT seriously?
By Steve Smith
When Rob and I founded Astro a significant element of our work involved building voice and telemetry systems for the offshore oil and gas industry and to a lesser degree for military installations. Everything was bespoke to the point where we received blueprints of the system and we sat at the bench and manually soldered the backplane wiring. We then added a number of modules including: modems, echo suppressors, echo cancellers, analog bridges, signalling units and power supplies. Rarely were the modules all the same physical size so the chassis and our wiring had to accommodate this.
On completion we would fine tune the equipment and set the analog levels throughout the chassis as each module had its own operating tolerances. At the end of a system build we would have up to 30 individually bespoke chassis to serve each location of the single system.
These bespoke systems were inherently secure as there was no online access and no commonality across the equipment so for anyone trying to just tap into the system to monitor what was going on faced a serious challenge. It certainly wasn’t impossible, and it did happen, but it was far from common.
I see many similarities between these legacy telemetry systems and today’s Internet of Things or IoT. However, in the IoT world of today we have a significantly different landscape. In particular with the IoT we are opening up our homes and private lives to a plethora of devices, applications and data lakes all constantly under attack from nefarious actors including cybercriminals, hostile nations and terrorists. We are also considerably more tolerant to reliability issues: we are used to mobile phones dropping connections, having to reboot PCs and having to power off reset a plethora of ‘intelligent’ devices that we use in our everyday lives.
I recently attended a dinner at the Armourer’s Hall in the City of London organized by the Information Systems Security Association. Vint Cerf – one of the “fathers of the Internet” – was the guest speaker. Vint had some very interesting points on the IoT technology we are welcoming into our homes with open arms.
It doesn’t take an IT expert to realise that home owners want reliable IoT in their homes. As Vint pointed out, no one wants a light switch that only has an 80% probability of switching the light on or off. However, security and safety does not necessarily feature so high (if at all) in the feature list of domestic IoT users. Yet, IoT is a very serious threat to our safety and our security.
Vint used environmental monitoring as an example as to where we may be leaving ourselves and our property exposed. For example, if we have IoT devices in our home recording data such as temperature, humidity, ventilation and power consumption, these monitor and control devices will store their data on a local server or in the Cloud. At first glance this data doesn’t appear too sensitive, but what if someone gained access to the historical data? They could gain a really good understanding as to the occupation of the property, the number of people at home, when it is empty and ultimately, when it would be a good time to break in.
More advanced home security systems may use voice recognition to open doors or switch off intruder alarms. The voice recognition data must be stored somewhere and if it became accessible to the criminal fraternity they could render voice activated access control systems useless. Old school property burglars and cybercriminals combining forces with potentially devastating effect.
Vint then explored some less considered aspects of security webcam systems. Many people have home security webcam systems that allow them to keep an eye on their property from their mobile phone. We like the convenience of being able to monitor our homes while we are away, but we wouldn’t want others to access these cameras as they would know exactly when we are at home, which rooms we are in and when the property is empty.
But what if our property was on fire? We may want the emergency services to have access to these cameras in the event of an emergency. If firefighters had access to these cameras they could locate people trapped inside much easier and plan their route in and out of the property reducing the risk to their own lives. The police would also benefit from webcam access in the event of a real-time incident such as a burglary or hostage situation. However, we don’t want the emergency services having access to these systems at any other time for privacy reasons.
In a home setting we must also consider the types of users. Vint offered the example of parents, children and guests. We cannot allow children to have more control over the home than their parents. When we have guests over for a few hours or for a few days, Vint posed the questions. “How do we introduce them to the house?” “How do you introduce the house to them?” These questions raised a few chuckles from the audience, but they are serious questions. What control are we going to allow our guests to have during their stay? What if our house is entirely voice controlled? Do we ask them to speak through some pre-arranged sentences to enable them to switch the lights on or flush the toilet? What happens when they leave? We know they have control over some elements of our home and that may not be desirable.
Vint’s key point in his talk is that we have to think about IoT in systems terms, we cannot think about individual devices. This seems obvious given that many of these devices must communicate with each other if they are to make a seriously positive impact on our lives. And on this point, interoperability and standards are vitally important if we are going to get the best from our IoT systems.
We undoubtedly need to tighten up on controls in our home IoT systems but we must ensure we retain ease of use. We just want all of this technology in our living space to work. We don’t want to have to get involved in the detail of making it work or keeping it secure or having to reconfigure it if we move home. It just has to work, securely, safely and reliably. Vint pointed out that nobody wants a house that stops working when the internet is down. The IoT controlled home needs to work locally as well as online.
The oil and gas telemetry systems we worked on in the 1980s had no margin for error. They simply had to be significantly higher than 99% reliable, safe and secure. If a serious pipeline issue went unnoticed due to a ‘glitch’ in the monitoring system, the production of the field along with many lives were at stake. But, the landscape is significantly different now with potentially so much more at stake if we don’t take domestic home devices seriously and secure them appropriately. If they are compromised on a grand scale they have the potential to take down the critical national infrastructure and place the UK into a state of anarchy. A very sobering thought!
With thanks to…
The Information Systems Security Association – ISSA
ISSA Photographer Sigi Kirkpatrick (event photos)