Security Of Things

Last Friday I received the Twine. High expectations and a bit of disappointment. It works. But somehow I cannot find enough value in SMSes or emails triggered by the Twine sensor to compensate the cost of $200. After all, today for $200 you can have hell of a gadget. A modern Internet tablet or even a Chromebook, fully equipped with high resolution display, 320GB drive and wired / wireless LAN connectivity. Also, while Twine is one of the first battery - powered Internet - connected, autonomous "thing", it does not introduce any real novelty. Similar platforms, like the ioBridge.com, have been available for years. Twine offers three sensors: water, magnetic and wire contact. ioBridge has many more, and it offers actors too. Not to mention the Iota kits for $50.

The Twine has inspired me to touch on the very important issue of security in the world of the Internet Of Things. It is an example of many implementations I see today. Things talk to a web service. Sure they use https / ssl. So the connection is secure. But what about the other end? SSL secures the pipe from a thing to a server in the Cloud. The server YOU are reporting your data to. The server processes YOUR data. It can't process the encrypted stream. It has to DECRYPT. After the data is decrypted, it starts accumulating in the server's memory. Then in the log files. Then it may be backed up somewhere. Decrypted. Yes I trust the company policy is to never look into your data. But can they enforce this policy? Can you be absolutely sure they do not employ a sysadmin who on a bad day has access to the web server logs? Remember Dennis Nedry from the Jurassic Park? It is OK as long as you use the Things only to play with. But once they really start controlling the vital systems in your house? Would really you let them exchange the decrypted data via 3rd party servers?

What is even more puzzling, almost every IP webcam vendor today offers a service that lets you log on to YOUR camera with a web browser. And in almost every case the video stream passes UNENCRYPTED via 3rd party servers. Even some well known leaders in home automation space offer services built this way. They offer you passwords to securely log in to your home via their web services. Have they told you they potentially can tap into your video stream, or record / archive it? I am not saying somebody is doing that. For me, the realization of such possibility is enough to reject the service.

Security is the key to the widespread adoption of the Internet Of Things. As an owner of the Things, I have to be sure nobody can access my Things, unless I intentionally let them do this. Many IoT adopters are not aware of the problem. Yet. And many IoT service providers make shortcuts in their security implementations. Such shortcuts are a ticking time bomb. I would not want to have one in my business.