Angst at EDPS: Private Lives (not) in the Technical Age

Luckily I arrived late to EDPS in Monterey on Friday, April 22, because I did not hear the introduction of the first keynote speaker or hear his name. A good thing, as it turns out. The speaker was a technologist who doesn’t embrace technology when it’s used as a tool for intrusions into our lives. He’s concerned about how our private facts have become part of the public fabric, accessible to anyone who knows how to navigate the Cloud.

And so, in the spirit of Life imitating Art, I’m not going to list his name here. That detail is fully available on the EDPS website, but it will not be articulated here. What will be articulated here, however, is the audience reaction to the Keynoter’s comments. The audience became part of the presentation, with the keynote address quickly morphing into a round table discussion, a group therapy session for technology whiz-kids who worry about the increasingly public nature of our private lives in this digital, always-connected era.

*****************
The end of Private Lives …

Keynoter – Today, thanks to technology tracking devices, everything from cars to nannys are vulnerable to hacking. People are out there everywhere looking for ways to cause trouble for you, me, and everyone who has introduced technology into their lives.

And once the Bad Guys find your information, they can do great mischief. Nanny cams and the IoT are all part of this [descent into hell]. While we sell these things to people who are looking for convenience, the customers are not thinking for a moment about their own security.

Just consider what are today’s favorite things to do online: banking and purchasing. Both so convenient. People are using their cell phones to take a picture of a check and then uploading it for deposit into their bank accounts. A behavior that is truly appalling. They honestly believe they’ll never be stung by such careless [pursuits] of convenience.

Information that people would never consider giving to a stranger, they are now happily putting online. That’s how blissfully ignorant they are. The fact is, unless you’re a whole-system designer, you’re not thinking about the severe security risks in all of this.

Of course, everybody in your household has a cellphone, probably an Android, the dominant platform in most parts of the world. A phone loaded with discounted, buggy apps that need regular updates. Yet even the OS itself has only had 2 updates in 2 years on my phone.

The truth is that Verizon has no motivation to be a pass-through for Google updates. And the consumers are not taking the time to do the updates, which would be a way to provide better security.

Other problems: I use a Galaxy S4, which puts me 3 generations behind the current model, the Galaxy S7. Verizon wants me to update my phone to the newer model. My primary motivation would be to get the security updates, but I really don’t want to spend the money to upgrade. It took me forever just to go to a smart phone in the first place and I consider this constant pressure to move forward a great invasion of my privacy.

Now extend these market pressures, and the risks, to the IoT. The introduction of the IoT says your fridge, your toaster, and even your light bulbs are connected to the Cloud. That means soon, we won’t even be able to count on our appliances to protect our security.

Meanwhile, the cost of keeping track of the infrastructure for these IoT devices is going to be more than the devices themselves – and the reason I’m now hearing I shouldn’t be buying appliances that are connected. There’s just always going to be too much risk, and not enough economic incentive to push out the security updates.

But just as Verizon fully expects me to throw away my 2-year-old phone, appliance vendors now expect me to trade in my fridge or toaster with much greater frequency. No matter that I’ve got a 15-year-old server at home that still works, and a 20-year-old washer and dryer, if I respond to market pressure and replace them with modern connected appliances, which manufacturer is going to update the security in the interfaces of these appliances?

It’s not just my mom’s fridge that will be compromising her security because she unaware of the risks, the security of my own household will be compromised as well.

And for crying out loud, who’s going to update my light bulbs with security patches, particularly when the light bulbs don’t have any kind of interface? Will owners receive an email warning them of security breaches and workarounds to correct things? For a $2 light bulb, which manufacturer is going to spend the money to push out the updates?

Which brings up the question: Who is responsible for keeping track of the software revisions that organize and protect the IoT infrastructure? The manufacturer, or the customer?

Of course, not everybody has given up on the idea of appliances as part of the IoT, but it’s crucial to remember that if security’s not architected into these devices from the most fundamental level of the design, there is always going to be concern.

And no one wants to say it, but because your house is full of connected devices your attack surface is that much larger. To consider a really large attack surface, remember the U.S. Government Office of Personnel Management suffered that terrible data breach last year.

I spent 20 years in the Navy and I’m very concerned about that data breach. It angers me that they lost my information, but the situation is out of my control. Shaking my fist does nothing. And I’m still required to give my social security number if I want to be hired anywhere, and will continue to do so.

Nonetheless, I want to minimize my risks in other ways. My Jeep, for example. The average consumer can’t judge if installing a WiFi access point in their Jeep is going to allow for a hack. Yet if someone can hack into my car’s control system, they can drive me off the road and hurt me – something they can’t do just by taking my social security number.

So I continue to drive my 1965 Mustang. It’s not connected and I like it that way. I have a colleague who drives a Corvette for the same reason, there’s no remote interface into the vehicle.

Audience member – But money used to be kept at home, and now it’s in the bank. Things evolve.

Keynoter – Yes, but the danger in the Cloud is more than just from syncing all of my photos out there. Consciously engineered that way or not, every device now wants to sync to the Cloud. They – the Googles and Apples out there – want everything on the Cloud. That way they don’t have to put a hard drive into your phone.

And by the way, I trust my bank far more than Verizon, trust those who care for my financial information versus those who oversee my personal information.

Speaking of cars, the Tesla is the newest hot mess. The company has security teams working on the problem, and invite people to try to hack their products. Of course, Tesla doesn’t want their products hacked, but they want to know what their friends can do before dealing with their enemies.

Okay, so where does all of this leave me? Can I go into full turtle mode, retreating into my security shell and avoiding the world? Probably not. And, even I like to be able to check the sports scores on my mobile device when in a remote area.

But I also encourage my family and friends to be extremely cautious. I have my own server in my house, as I mentioned, and check all of the packets coming and going. Nonetheless, I advocate for caution for those people who live in my house. I don’t want them to make statements when they’re 13 and post them online, not knowing how those statements might come back to haunt them when they’re 30.

Audience member – Remember when the telegraph was barred from stock trading, and then the telephone. Then the ticker tape was invented by Edison for the Senate but they rejected it as invasive, so it went to the stock market. Now the stock market has miles of optical cable installed for instant communication. Similarly and very soon, you’ll have no choice but to buy an electrical vehicle, which means you’ll have no choice but to drive an always-connected vehicle.

Keynoter – When I have no choice but to buy an EV, I’ll go to the bicycle for transportation.

Audience member – Yes, those on-board tracking systems in new cars really do allow people to follow you around, to always know where you are.

Keynoter – I never have the GPS turned on in my phone. Yes, I have a chip in my credit card, but at least there’s some sort of control of the privacy on my end when the GPS on my phone is turned off.

Audience member – But we need to totally trust the banks, because the only other choice is the mattress as a place for our savings. And we also need to trust a lot of technology.

Keynoter – While banks work on trust, Facebook for example has worked hard to lose our trust.

Audience member – It’s like faith. You have to have unshakable faith in your bank and their IT capabilities.

Keynoter – Yes, but I still don’t trust my bank completely to protect my financial information.

Audience member – You have faith in the food you buy at the store, in the people who raise the vegetables and the chickens. Yet GMO food is just another kind of hacking. We choose to see it as goodness, but it can certainly be turned towards badness. It’s a matter of perspective.

Keynoter – Our security is compromised with every single word we upload, whether through email or anything else online. The police agencies are learning to look for certain words. Eventually, because I may have inadvertently used suspect words, they will come for me. Which is the principle reason I do very little browsing on my phone.

Audience member – And the smart home we’re all hearing about and moving to is also full of monitoring features.

Keynoter – And that’s where poking holes in these things continues to be so important.

Audience member – I have an Amazon Alexa scrutiny system at home. It’s WiFi and can be sniffed. They say it’s not true, but how do I know it doesn’t have the last 8 hours of info cached there and vulnerable to hacking.

Keynoter – There’s a point where your plain text goes to an encrypted digital stream. To assure your privacy, you need to tap into that actual digital stream.

Audience member – But is there any way to do that?

Keynoter – I’m saying it’s difficult, but it can be done.

Audience member – By 2018, back-up cameras are being forced into all new cars, an invasion of privacy that’s being forced down our throats. Those cameras are candidates for hacking.

Keynoter – Why I’ve been warning my kids from a very young age about having a digital profile online. I say to them, if you can’t elegantly explain what you just said in your post, then you need to not put it there in the first place. And the same is true for photos.

Audience member – Would it be appropriate to push all of this back onto Google or Apple? To make them responsible for the security of the mobile devices we buy from them?

Keynoter – Where is this push back going to come from? There’s never been a successful class action suit against Microsoft, for instance. The agreements you’ve signed without reading them, which say you understand you’re using this software at your own risk, means the liability for insecure software is very unclear.

Going forward, we are going to be able to hold companies responsible, or their software will be considered junk. And good news that the browsers have now improved from a security and privacy point of view. My choice is Chrome today.

Audience member – But there are WebRTC leaks in Chrome. Just do a search and you’ll see all of the problems.

Keynoter – Okay, this talk has not turned out as planned, although this conversation has been extremely informative. Let me finish by reviewing my final slide.

When it comes to consumer awareness of the security risks inherent in the IoT, generally there is little. Customers continue to be unequipped to make informed security decisions about their connected devices and appliances. And you need to understand, this problem will neither go away nor get any easier as the number of connected devices in homes increases by orders of magnitude.

Which brings me to my message and my plea: Making people’s lives easier through technology is not a bad thing, but putting them at risk while doing it is very much a bad thing.

We need to audit these IoT products as they make their way to market, and we need to hire hackers specifically so we can see how they are breaking these devices or bending it to the will of the users.

To solve the problems around security, we need to understand the hackers’ intent and anticipate their every action. More importantly, we need to never let convenience trump security.

*****************

Tags: Amazon, EDPS, Facebook, Google, IoT, Samsung, Tesla, US OPM

This entry was posted on Thursday, May 5th, 2016 at 11:20 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.