Ramblings of an Automation Mad Man (A Blog Series)
By Jerry Maldonado –VP of Automation, Customer Lifecycle Solutions
It’s a cold chilly night, the rain has been pouring steadily for hours pounding against the house with a sound that reminds you of millions of carnivorous ants pounding across the African forest consuming everything in their way. The wind, howling like a pack wolves closing in on its unsuspecting prey, whirls and bangs tree branches against your house. Boom, crack, the sound of thunder rips the night sky so suddenly and violently that causes you to jump while clutching you blanket as you sit on the coach trying to watch the news. The lights flicker as you see the story about the increasing number of peeping toms and home invasions. Suddenly, you panic and reach for your smartphone and press a button on your newly minted DIY home automation that shows you that your cameras are all working and the door is locked. For a moment you feel secure until you look at one of the camera feeds and somehow the camera is looking at you. You get this feeling that you are being watched and you tighten your grip on your blanket. Your pulse speeds up and sweat starts to build on your forehead while the overwhelming need to run consumes your soul. “Nah must just be my imagination “, you say to yourself and then you look over at the phone and the video feed is of a close up of your face. . .
Boom! Crack! Lightning, panic, fear, a scream . . .
This sounds like the great beginning of a horror film or murder mystery book, but is it? Today the Internet of things makes it possible to hook up so many things to the internet. Such things we can control by our phones, via a remote website, and from the outside world. These items are great for everyday life. You know how many times I asked myself “Mad Man did you close the garage door when you left “hmmm let me check! Open up the smart phone to say “why yes I did “. Or I get a call from someone in the house while I’m in Europe or across the country and all I have to do is look at the cameras to make sure that everything is ok.
But what I am really the only one that can do that? No, I don’t mean another member of my family but can some strange dark sinister force out there using my Iot devices to spy on me and then some?
Sure it might sounds too farfetched and maybe I’m a little paranoid, but think about it! There are now several websites out there that have gone out and sniffed the World Wide Web for folks and business that have purchased IoT devices who have simply forgot about setting security on their device. Yep, one site has video cameras exposed to the internet with default security setting available for anyone to see. In case you’re wondering, this site claims to have over 76K across the globe. This means that someone other than who is supposed to have access can now access your camera and in some case control it.
Maybe you’re thinking that these guys can only see outside my house or business. But smart burglars can use your own security to case your own house. They can establish your schedules, routines, and maybe even see you type the deactivation sequence on your alarm. Oh, and did you forget about the baby monitor you purchased that is tied to the internet so you can monitor the baby? Ever wonder who else might be watching?
Get the picture? Or in this case the video?
Boom! Crack! Lightning, panic, fear, a scream . . .
Cameras are only one of the many things that is not secured. There could be other IoT devices that have the same issues. Take your smartphone for example. How many folks or businesses leave these devices unlocked and open? I recently got several texts from friends that where very strange so I called them to see what was up. Apparently, one friend had left the phone on the table and one of the kids got ahold of it. Another was out with friends and the friends started texting folks at random. The other had lost their phone and somebody was texting to see who owned the phone so they could return it. This whole discussion screams for the need of some Mobile device manager technology as well as mobile security but we can chat about that at another time.
I was recently chatting with some colleagues the other day and was amazed at where they ranked the need for security in the world of the IoT. I Listened and learned how these seasoned professional felt that there is no relative data or reason to lock down these devices or why the IoT world should be designed in a wheel and spoke pattern to aide in securing devices. As they all laughed and joked about the need for security, I started to think about this particular story.
Say you bought one of those new refrigerators that you can setup and talk to a grocery store to reorder items as it becomes empty. How it works is that you simply scan the bar code when it the item is empty and it creates a list that at the end of the day gets sent to one of the many supermarkets that you have an account with . The application also allows you to setup standard orders for milk and bread and other items that are routinely checked and ordered at the store. The application relies on a user name and password to log into your account and place the order. Another device you have is a baby monitor and camera over your front door. Both of these devices are connected directly to the internet. Your home router with a firewall built in has default password assigned. You also have one of them new fancy locks that lock and unlock themselves at the touch of a button.
If you’re like me you do a lot of online orders and have them shipped to your house. Most times no one is home so the packages are left on the door step in line of the camera so you can see them. Now in a ten block radius of your house maybe 30 other folks have a similar unsecure camera like yourself and maybe a couple of business within that area as well have a point and zoom camera so a slight adjustment of the camera might showcase additional houses. It would be pretty simple to create an application that could identify packages being delivered and a little more analytics and little creativity to figure out folk’s schedules along that line. At this point the entire room knew what I was talking about and the comment I received was “yeah, good point but. . .”
Ok let’s look at if the refrigerator vulnerability is discovered, it would let someone gain access to the system. Let’s say it gave them the capability of adding an item to your shopping list every day. A quick scan of the internet could find all the devices and a simple sniff of traffic could identify the item added during a transaction. It would be conceivable at this point to use this information to high-jack your credit information and used that to make the purchase, over and over again.
I continued the story with other possibilities and potential outcomes. Then I ended it with the statement “ go big or go home” . Huh what does that mean? The IoT is predicted to produce billions of devices over the next couple of years. Analyst predict that today one in 25 devices are left in the default setting that is probably a billion devices or more left wide open . With a big target like that one good hit will send a team home very happy.
Boom! Crack! Lightning, panic, fear, a scream . . .
Security is a big ticket item in the land of the IoT and in subsequent blogs and posts I will dig into some ideas to help secure this world . But by no means am I a security expert. Just an expert in determining patterns and processes that I can then help automate for the betterment of man. I guess you say… ok this you have to do in your best BATMAN voice . . . I’m Mad Man Automation Mad Man . So if I can figure this stuff out, I am sure others are out there thinking as well.
Boom! Crack! Lightning, panic, fear, a scream . . .
Follow the Ramblings of an Automation Mad Man every Wednesday. Did you miss last week’s post? Read it here: Are You Thinking Automation When You think DevOps?