We might use your IoT stuff to spy on you, says top spook James Clapper

library
crime | hacking | security

It’s scary enough when random cyber creeps spy on children in their cribs via internet-connected babycams.

How much more appalling is it to think that it could be Big Brother doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV?

That, in fact, is possible in the future, US director of national intelligence James Clapper said during testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the country.

He was talking about the Internet of Things, or IoT: that collection of connected gadgets that have plenty of “neat-o!” factor but which, all too often, are pockmarked with security holes.

The Guardian quoted Clapper:

In the future, intelligence services might use the [IoT] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

As Naked Security’s Paul Ducklin explained in a Sophos blog recently, IoT refers to a whole class of day-to-day “things” that are now being offered with built-in network connectivity.

These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet.

The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects, and the situation has left security pros justifiably alarmed.

A 2014 study by HP found that 7 out of 10 internet-enabled devices were vulnerable to some form of attack, and the tested devices averaged 25 invitations to mayhem per gadget.

Because IoT devices can be connected to the internet, the people they protect are at risk from anyone who can find a connected device. That’s certainly not hard: as it is, the IoT has its own search engine.

If and when intelligence agencies get around to tapping into the IoT – Clapper didn’t specify which specific agencies are mulling the move – they’ll have quite a list of household objects to squeeze surveillance out of.

We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege.

But one person’s security hole is another person’s opportunity.

To intelligence agencies, IoT devices could illuminate an environment that they claim is “going dark” due to new forms of encryption being used in consumer products and services.

That was the conclusion of a recent study published by the Berkman Center for Internet and Society.

Rather than having evidence “go dark”, as law enforcement has repeatedly claimed, the increasing number of IoT devices present ever-more opportunities for surveillance.

Berkman fellow and cryptographer Bruce Schneier:

We’re questioning whether the ‘going dark’ metaphor used by the FBI and other government officials fully describes the future of the government’s capacity to access communications.

We think it doesn’t. While it may be true that there are pockets of dimness, there other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.