No Sooner do we Secure Our iPhones Than the Home Invasion Begins

| Particle Debris

The pace of personal security continues to accelerate. First, we spent years learning how to secure our routers and Macs. Then we focused on our  iPhone security and got that pretty much under control. Now, a new wave of home automation devices is poised to enter our residence, and they're not made by Apple. Danger is lurking once again.

______________________

The modern customer who surfs on top of the blue waters of the Internet generally has no idea of what's going on under the water. The enormous layers of complexity and software abstraction mean that we can no longer understand what's going on under the hood ouf our devices with the time we have available for study. There are sharks near the surface of those waters.

What that means is that 1) All devices tend to look and operate alike because the market leader is copied 2) The various settings and preferences presented to us are a mere shadow of the complex technology underneath and 3) In their rush to compete in the consumer market, excruciating, expertise-based attention to security detail is unprofitable. As a result, we have to place a lot of trust in the companies we buy Internet enabled products from.

We have a natural human tendency, a weakness, to think that incursions will leave telltale signs.  But they don't. Our Internet devices just sit there quietly and look like they're doing nothing when, in fact, a lot is going on underneath the hood.  That deception leads to complacence.

There was a time, not long ago, when the only device the family had on the Internet was perhaps a family Mac or PC and maybe a PowerBook belonging to a student in the family. Today is different. Recently, I had to upgrade to a new router because the number of devices in my house with IP addresses had gone into the range of 30. When we had guests at Christmas, they couldn't get on the Internet with their iPads. We had to shut stuff down.

Things are about to get dramatically worse for all of us. In a few short years, with home automation on the upswing, it wouldn't be crazy to think about several hundred devices in the home with IP addresses. And everyone of these devices is a potential target or entry point into the privacy and security of the household.

In the past, as I recall, household electrical devices were certified by Underwriters Lab. There was a "UL" label on the power cord that affirmed that the devices met electrical safety standards and could be used with confidence. It would be nice if we had something similar for Internet devices we install in our home. But this time the certification would be for a high level of consumer security. But I don't see it coming.

Meanwhile, it's the wild, wild west, and it's a free for all. Never has it been wiser for the consumer to be beware of the vulnerabilities of the devices they buy. This week's tech news debris is 100 percent devoted articles which address all that.

Next: the tech news debris for the week of Aug 11. VNC free-for-all, badly designed firmware, tricking the smartphone's gyroscope into being a listening device, and whether Apple can once again save us from The Internet of (insecure) Things.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

If I understand it correctly, the Target data thieves got into the system via air conditioning controls that were connected to the internet.

Paul Goodwin

Or we could not connect any of it and just push buttons and turn knobs either on the devices or on remotes. I don’t want to have to worry about Internet security any more than I do today.

Today, the biggest security threat I have is when the grandkids are visiting and downloading all manner of adware along with their online games. The game sites load up their downloads with a executables that are defaulted to install automatically. If you don’t uncheck the boxes when you hit the download button, you get all kinds of crap. The kids just click OK.

ibuck

thieves got into the system via air conditioning controls

That ain’t cool.

But seriously, I have been avoiding Target because I don’t think large corporations change their stripes that quickly, despite their CEO’s dismissal.

 

Lee Dronick

This may only be for Chinese customers, but Apple is reportedly going to store customer data on servers located in China. If domestic customers’ data was going to be stored there then why is Apple building those huge server farms. Anyway

http://in.reuters.com/article/2014/08/15/apple-data-china-idINKBN0GF0NF20140815

wab95

John:

Where to begin with your picks for this week?

There is so much substance here, the only practical option is to stay thematic and general.

The first thematic point is that Apple’s strategic choice of a locked down system has paid off in dividends that few anticipated; security. The value of this feature, particularly for those of us travelling to, working in authoritarian environments, or on the radar of security agencies, is often not factored into device price considerations of iPhones vs the garden variety low-mid range Android device. I suggest that cost-benefit ratio for iPhones just got substantially sweeter. Yes, there is a worrisome trend, as noted by the Washington Post piece, that the more affluent will remain relatively more impervious to security compromise than the masses enjoying the lower direct costs of Android, but consumers with choices will have to give more thought to their priorities.

Second, it is equally clear that the superior security of iOS devices (and not simply the OS itself, but the hardware) is no accident. We have said many times, Apple plays the long game. One aspect of that long game was hinted at a few years ago (not certain of the date) when Apple began very public recruitment of senior security personnel, which TMO covered and suggested that Apple were very serious about security. Indeed, they were and remain. What is clear now is that that security was not confined to things like cloud services and, very importantly, their online stores and customer accounts, as critical as these are (just ask Sony, Target, and a host of others), but in anticipating where vulnerabilities lie not just now but in the future. The choice to hardware-encrypt the iPhone was simply ahead of the industry but not its time. Rather, it was timely, but not anticipated or emulated by the rest of the industry; not by Google or its OEMs or by MS and Nokia or Blackberry. No accident, just forethought and brilliant execution which, by the way, has a price. I suggest that this security gap, which shows no sign of closing, will only widen and will be a progressively greater product differentiator for those with a need/desire for personal/corporate security. It will come down to values and priorities. If open source, maximum configurability, side-loading and other Android-relevant features are important, then the indirect cost is security compromise - assume that governments and bad guys are a silent third party in all your device doings. If security and privacy is your preference, be prepared to pay a bit more in direct costs, and to have fewer configurability options - unless you jailbreak, in which case, why not simply go Android in the first place?

Third, all of these revelatory articles and videos on security backdoors are actually a good sign. During the PC era (and this is another indicator that we are now into a new post-PC era) there was no advance discussion about potential security compromise with viruses and malware until it began to happen. Consumers and industry were hit, at great direct and indirect cost, and the industry (read MS) had to play catch up, always three to five steps behind the bad guys. Today, the entire security industry, who are also consumers with a vested interest, are revealing as many vulnerabilities with concept exploits as fast as they can publish them and share them with manufacturers and providers, often in advance of them appearing in the wild. Apart from demonstrating that the greatest looming threat from our still annealing interconnectedness (the internet of all things) is not the singularity so feared by some futurists (i.e. the emergence of a single consciousness of our electronic devices), but security exploits by bad guys that can result not only in cybercrime, but terrorists attacks (blowing things up, burning things down, opening up the gates of hell - take your pick). To harden our tech progress against this, without appreciably retarding that progress requires facilitating that dialogue and interaction between industry, government legislators and regulators, and the white hat ‘hacker’ community, while preserving the independence of the hacker community. Should ‘hackers’ be co-opted by industry, they run the risk of falling into the group think that creates security blind spots in the first place. Only by having a knowledgable community that can think differently about a problem, and attack it from a fresh perspective, can we have a robust system of practical peer review and protection.

If done well, all of this can result in a safer, yet more interconnected and serviced world community than allowing fear to grind that progress to a halt at the expense of unrestrained human progress.

Log-in to comment