Secure The Things!
One of the biggest news stories of the last few months was the DDoS (Distributed Denial of Service) attack that disrupted internet service to the Northeastern United States for an entire day and other parts of the US for portions thereof. The way this attack worked was that hackers using malicious software gained control of IoT devices that were connected to the network. If a device has computational ability and is connected to a network, it is hackable. It might not have a lot of computational abilities, but it doesn’t have to in order to be used for disruptive behavior.
What the hackers did next was have hundreds of thousands of these devices reach out to a Domain Name Service (DNS) host, in this case Dyn, and send millions of requests for data simultaneously. That was in addition to the natural traffic that would come through the sites hosted by Dyn. This resulted in the servers being overwhelmed. The websites that use Dyn, such as Twitter, Reddit, Netflix and dozens of others, became unavailable for people attempting to visit them because the servers couldn’t reconcile that many simultaneous requests.
When the smoke cleared from that day and investigators were able to see which devices had been requesting the information, it was revealed that hundreds of thousands of the devices used in this attack had been IoT devices. Some of these included IP cameras, DVRs and even network-connected two-way speakers.
This kind of attack is what is referred to as a botnet attack. The people who owned these devices had no idea that it was happening, or that their devices were being used maliciously. Their devices had been turned into bots acting on the command of the hackers who had taken control of them.
How could this have been prevented? Secure the devices.
The most vocal detractors to the IoT world use the lack of security of the devices as the biggest issue facing the future of the technology. Because no security standards are required for manufacturers to include in their technology, any device on a network becomes a vulnerability to the network to which it is connected.
The simplest way to secure any device is to change the default password, assuming that you are able to do so. In some cases, the password of an IoT device may not be something that can be changed so that, when taken out of the box and connected to the network in your home, the device is just discoverable by your controller, be it your phone, computer or smart home system. If the password is inaccessible, how do you go about securing this device so your network isn’t vulnerable? The same way that audiovisual integrators have been doing it on corporate LANs for the last several years: We use VLANs (virtual local area networks).
Because the fundamental use of IoT devices is to collect and track data, that means that, if your devices are accessible, potentially so is your data. If you cannot secure the device itself, then the next thing to do is separate it from the rest of your network so you are not creating a network vulnerability. The greatest beauty of the Internet of Things is that it allows all of these devices to connect together. The greatest issue with the Internet of Things is that it allows all of these devices to connect together. If two devices and their back-end systems that share data are able to connect to one another, that means that, if one is vulnerable to hacking, they are both vulnerable to someone gaining access to your information.
Policy Issues Facing IoT
There are several policy issues related to IoT:
The way that the networks and the devices connecting to them are being regulated has a massive effect on future deployments. The FCC (Federal Communications Commission) and the FTC (Federal Trade Commission) control the regulations that will have the greatest impact on the future of IoT.
The FCC has been making a lot of headlines over the last two years because of its efforts in reclassifying how Internet Service Providers (ISPs) manage the data that passes through their networks. This reclassification and change in regulation was what the Open Internet Rules (also commonly known as Net Neutrality Rules) established. These rules set forth the concept that all data on an ISP’s network must be treated equally. No service can be prioritized over another. One person doing Google searches for a research paper will have the same treatment of data as someone streaming 4K video from Netflix.
The catch in the rules, though, is that there are exceptions. The key to the data that cannot be blocked, throttled or forced into paid prioritization is that the edge provider service must be accessible from any web browser. Many IoT devices, therefore, might not qualify because, although you can log in to many of them from your PC via a web browser to see your personal data, the device’s communication back to a server or cloud service on the internet would not be accessible in that way.
How the ISPs will treat this data moving forward will have a drastic impact on whether or not the government will be required to revisit these rules and change them to include this type of data exchange in the future so it doesn’t add additional cost to users’ monthly bills.
Your Data, Your Privacy
In October 2016, the FCC passed new privacy rules for ISPs. These rules changed the definition of sensitive information and gave consumers more control over what the ISPs could do with their personal information. Previously, ISPs were able to sell a consumer’s browsing history and app usage to third-party advertisers so they could then provide targeted advertising to consumers. Now, the FCC has said that ISPs will require consumers to opt-in in order for them to continue to perform this action.
Prior to the FCC passing these rules, the FTC had been the agency governing how consumer data was protected, and had set the definition of what was considered to be sensitive information. With the FCC reclassifying ISPs to be more like telephone companies in the Open Internet Rules, the FTC is no longer responsible for setting how the ISPs manage the privacy of consumer data.
Now that there are two government agencies protecting consumer data privacy, with two different definitions of what is considered sensitive information, we face a circumstance where Google, the website, can monitor your search history and target ads, but Google, the company providing your fiberoptic internet connection, cannot. This change has left the gaping question about ISPs that own edge service providers, such as Comcast owning NBC Universal or AT&T owning DirecTV, and how the passing of consumer data between a subsidiary and its parent company will work moving forward.
When the hackers took control of all those IoT devices for the DDoS attack, they had created an extensive botnet. Although already frustrating for consumers, what with their devices having been hacked and used maliciously, it could be getting much worse in the future.
At the end of last year, Congress had a new procedural rule up for consideration called Rule 41. Although there are a lot of intricate things taking place in Rule 41, the fundamental principle is that law enforcement is seeking a backdoor to gain access to personal devices after the court case between Apple and the FBI following the San Bernardino attacks. Rule 41 sets forth concepts that allow law enforcement to get a warrant from a judge to remotely search your computer if “the district where the media or information is located has been concealed through technological means.” This means that, simply because you have used a VPN (virtual private network) to connect to your office while out in the field or remotely connect to one of your client’s AV systems to perform standard maintenance, your computer could be subject to remote search by law enforcement because the use of that VPN would be considered suspicious behavior.
Rule 41 applies to the IoT world in that any device that has been used in a botnet attack also become susceptible to law enforcement search, regardless of whether or not the owner was aware that the device had been used in the attack. This means that law enforcement could access your unsecured smart device that a hacker used maliciously, and, theoretically, any device that it communicates with under the consideration that other malicious code could have been exchanged between it and the rest of the network.
At the beginning of December 2016, Rule 41 was put forth for debate but not allowed to come to the floor. This lack of action by Congress meant that Rule 41 was adopted into law without a debate, vote or any other considerations from the people who were voted into office to represent the people. This new rule that is now in effect is extremely dangerous when you think about the more than 20 billion devices in the world potentially controllable by a malicious user and then subject to search by the government without the owner being made aware.
Given that the purpose of connecting all of these devices to the network is to gain more information through data collection and then analyzing it to provide actionable information, the question of who owns that data will come into question. The standard answer to the question, “Who owns the data?” is that it varies per contract and user agreement.
Let’s look at a Bluetooth beacon system currently available from an audiovisual manufacturer. Said manufacturer sells this product through its dealers, and integrators to a customer. The integrator provides the solution to an end user and incorporates it into the audiovisual control system to trigger system functionality. In order to do so, the Bluetooth beacons in the system must connect to the users’ smart devices. Who owns the data that’s being tracked? Is it the manufacturer, the integrator or the owner?
The user agreement that is enacted whenever people click the “I Accept” button on their computer or phone is what dictates this. It also dictates what personal information will be accessible to the integrator or manufacturer.
Now, let’s say that a hacker gained access to the corporate network by either hacking into the manufacturer’s network and gaining access to the users’ data that they have been tracking, or by hacking into the Bluetooth system provided by this manufacturer and integrator, and embedding malicious code on the users’ smart devices that tracked keystrokes. This code then gives them access to passwords that they then use to hack into the corporate network and gain trade secrets or download ransomware onto the servers to lock up the client’s systems. Who is liable?
In this example, the client has the ability to look at both the manufacturer, as it provided an unsecured product, and the integrator (potentially a consultant), as it specified this product that turned out to be unsecure and allowed for the accessing of privileged information.
The audiovisual integrators and manufacturers looking to offer IoT solutions are jumping into the bleeding edge of technology and need to be aware of the liabilities that come with that leap. If you are accessing and monitoring information about a client, you also need to be able to secure that information and make sure that you are protecting your clients from hacking, just as much as you protect them from devices falling from the ceiling or off of walls by installing the physical equipment in a structurally sound way.
Should Integrators Provide IoT Solutions?
What is an AV integrator to do? IoT has its challenges due to the lack of security standards for manufacturers and the potential liability if you choose to own the data being collected by the IoT devices that you supply to your clients. The fact remains, though, that the direction technology is moving is toward a world where the technology integration isn’t with a building or a single system, but an overall ecosystem.
Your personal device, likely your phone, is becoming the way that you interact with the world. You stream movies from your phone to your television at home: That’s IoT. You stream your presentation from your table to the display at the office while connected remotely using a videoconferencing solution: That’s IoT. It cannot be avoided that having smart buildings that know when you arrive in the room and react accordingly are no longer science fiction, but the near-term reality. Audiovisual integrators have the ability to be at the center of that because we are already the companies providing the solutions that integrate between all the connected systems, while also providing much of the equipment that creates the user experience through video and sound.
However, to be the apex connection to these new IoT environments means that we must take the responsibility to not only understand the risks involved—both through tech policy actions that are being debated in Washington DC, as well as the security risks that come with the products themselves—but also to provide our clients with the best advice.
Opinionated & Inquisitive Individuals
The audiovisual industry is known for opinionated and inquisitive individuals. We have to shift some of that attention from the common debates that we currently have in the industry to start asking the networking and security questions for these smart devices that we are being asked to provide, or with which we will soon be connecting.
If manufacturers want to provide a smart device, they have to be able to simply state what information that device will be tracking in order to perform its function. They also need to be extremely clear as to what they are going to do with that data. Will they be tracking it long term or will it just be instantaneous reaction with no data storage?
The IoT manufacturers are building groups that are helping to develop standards for platforms, as well as security. Audiovisual professionals need to start getting familiar with their efforts and the standards that are produced so integration goes smoothly.
IoT should not be something that the industry shies away from because AV is uniquely equipped to execute these solutions for our clients. The Internet of Things should become the next item in our toolbox that we can offer clients. Just like every other thing in technology that came before it that AV had to integrate with, we need to educate ourselves, not just on the technology itself, but the issues that come with it, so we can educate our clients and offer the best solutions to meet their needs and provide an exceptional experience.