Back to blog

the chaos to come – or ‘why it is important to care about security’

12/09/2014 - Posted in knowledge , security Posted by:



reading time: 5 minutes

It has been a while since my last post and i apologize for that. In the past 2-3 weeks very interesting things happened which i will not mention here since there really big news find their way to mass media anyway. If you still want to keep on track i can recommend the blog of famously known Bruce Schneier and/or hackernews(although they have more generic news on there).

the internet of fails

While watching some Defcon22 presentations i stumbled across a talk that focuses on the internet of fails – more commonly known as the internet of things. In this talk they speak about the beautiful movement started by Kickstarter, Arduino and co. A movement of invention, where everyone who has an idea can create a product and share it with the world. If you have been browsing through the projects on Kickstarter you will know that there is a vast amount of awesome new gadgets that will simplify your life or in the worst cast just make you look qwler.

On those crowdfunding platforms you can find many things that make you drool – believe me, i know. I do that on a regular basis to get a kick once in a while – and while you may think that gadget XY will make your life infinitely better, we rarely think about the implications if we introduce these devices into our life. Think about what it means for your privacy, your security and even your social life. You may wonder how gadgets could possibly influence all of that. Let’s think about the functionality of let’s say an awesome looking and probably very practical thing like the Nest.

the life threatening smoke detector

Nest offers a thermostat and a smoke (and carbon monoxide) detector which look really sweet. I always wanted to get a Nest thermostat myself but sadly they did not sell them in Europe for a long time. Imagine you buy those things because they look nice and because you want to save energy to save some money and preserve mother nature. You buy them install them and connect them to your network, they work and everything is fine – right? wrong! As far as privacy goes nest will probably send all of your pretty data to Google for them to analyze and use. You have to know that Google bought Nest a while back, so it is very likely that Google has access to the data of Nest users.

In regards to security let’s take a look at the smoke detector. The thing is very smart and connected to the network which brings many convenience functions. On the other hand this exposes an attack surface for anyone who has something malicious in mind. If they can obtain control of the smoke detector they probably cannot only use that to troll you and drive you out of the bed at 3A.M. with your pulse at 180 but also to probably disable the alarms. Now a device that you relied on with your life does not function properly anymore – and that really should be a reason to be concerned.*

As for the previously mentioned social life we have to back up a little and talk about gadgets in general. I work at a young tech startup – who doesn’t? I mean it is 2014 for heaven’s sake – and my colleagues are the typical young developers who love the web 2.0 and the internet of things. They love that everything is connected and they spend a lot of their time optimising their everyday life up to a point where, at least in my opinion, they are overambitious. They spend so much time looking for apps, websites, tools and gadgets to speed up their life and make it more productive that they forget what matters most. Time. They spent incredible amounts of time in creating Alfred workflows or App workflows – appflows? is that a thing? – that the time they will probably save does not add up to the amount of work they spent by creating the workflows and learning all those tools. As a side effect they waste so much time with their smartphones, their computers and on the internet, that they could use to talk to people. I mean who does not know the typical subway scenery where everyone has their headphones plugged in and is staring at their smartphone to like the newest kitteh post on Facebook, or the latest cupcake image on Instagram. These things take away our social interactions and that is bad. I know that there are probably people who disagree but talking to others in person is usually more fun then to just drop them a line on FB or text them on your favourite messenger.

good coder – bad coder

To close the circle and come back to the topic of this article there is another serious underlying issue that we are not aware of. Since everyone can create something and everyone is creating something we introduce many security holes in our lives. As Mark Stanislav and Zach Lanier have proven the internet of things is full of security flaws. That is because many people know how to code, because it is easy to code and because there are so many tools, libraries and hardware platforms out there that make it easy to create something of your own and because few of those people know how to write secure code. Many people who code, do so very badly. It is not that they do it on purpose but rather they never learned to write clean, well documented and most of all secure code. In 2014 it is easy to learn how to write an application that gets a job done because there are many tutorials out there and because you can use a vast number of libraries that take work off your hands. Yet only few people have the background and the knowledge to write proper code and even less of these people will ever read an RFC.

I don’t think that those people are to be blamed because our society is very profit and purpose oriented and therefor has the mindset “if it gets the job done, it is fine.”. In addition many examples you can find on the internet have been written by people who are not the best coders themselves. Therefore it is very hard to learn proper coding, in the sense of security and maintainable code, if you don’t have a source which provides you with excellent guidance or an education in that field. This does not mean that you have to go to university to become a class A developer. Going to university does not guarantee that you are an able coder. And not going to university does not necessarily mean you are a bad programmer, it just means that you probably have to put in extra effort to find good learning materials to learn from to be as well educated as someone who had personal guidance at uni.

TL;DR

So the message here is, unless people start to learn to code properly, securely and read the RFC the future will be very interesting. If everything is connected to a network and it got coded poorly you will have a hard time to keep yourself save from the threats out there in the wild. *dreaming* I wait for the day where my smart chair is starting a fire in my house because a malware told my oven to overheat something while i’m not at home. *dreaming off*

 

*I did not do any security research on Nest and Google and therefore can guarantee that they are safe or unsafe. It is just a hypothetical example to depict the broader problem of the IoT.

Leave a Reply

Your email address will not be published. Required fields are marked *