This year’s Consumer Electronics Show (CES ‘17) showcased numerous internet of things (IoT) devices but was found wanting when it came to security concerns. In his UX of IoT report from CES, Scott Jenson assesses that “companies really, really, REALLY want to make home automation systems,” but how can we begin to consider the ethics when developers don’t even consider security risks?

IoT systems pose two security challenges. First, they can be manipulated as surveillance infrastructure to target vulnerable people. Second, insecure devices can be turned into remotely controlled networks that cause harm, such as taking websites offline. In fall 2016, malicious actors harnessed about 500,000 hacked devices such as CCTV cameras to comprise the Mirai botnet. This botnet used distributed-denial-of-service (DDoS) attacks to take parts of the internet offline. This included Twitter and all top-level domains from the country of Liberia.

Understanding risks

When people put IoT devices in their homes, they open themselves up to the risk that those devices could be used by a malicious actor to learn more about them. As former U.S. Intelligence Chief James Clapper has said, “in the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location-tracking, and targeting.”

Some people may not be concerned about governments spying on them, but if they enjoy using the internet, they should consider how their devices can be harnessed as bots to affect the greater good. Botnets are a direct threat to the open internet, as the cost to secure sites against such an attack is estimated at $150,000 or more per year. Since such protection is unaffordable for both individuals and most organizations, DDoS attacks are effectively a form of censorship. It’s not a far stretch to see how hacked devices could be commandeered to silence journalists.

An insights toolkit for people who build connected things

The upsides of IoT are self-explanatory, but at Simply Secure, we want IoT systems to be built with a bias toward protecting people’s privacy. As a first step, we have been working with Mozilla’s Open IoT Studio to identify gaps in professional knowledge. Our shared goal is to assemble tools that developers can use to protect people’s privacy and the open internet.

At MozFest in London and ThingsCon in Amsterdam, Simply Secure conducted research to understand participants’ priorities around IoT and privacy. We created what we call the Insights Toolkit for Building a Trustworthy IoT. This toolkit is meant to guide discussions that will help developers and technologists identify technologies that inspire and worry them and to learn where they can go for more information. The toolkit is on GitHub and includes questions, worksheets, and other assets. It can be forked, translated into other languages, adapted, localized, and continually improved.

Photos of study materials, such as colored bits of paper and user responses on a visual survey.
A workshop we facilitated at MozFest in London, where we used the Insights Toolkit to understand developers’ priorities for IoT security. (October 2016)

Top insights: Resources and fighting botnets

Based on discussions with about 30 developers at MozFest, the greatest challenges to get IoT developers to consider better security practices are 1) identifying reliable sources of security information (e.g., blogs) to respond to their skepticism and 2) equipping developers who are already on board with stories to convince their colleagues of the benefits of good security practices.

“Stackoverflow isn’t going to cut it for security.”

Developers are curious and eager to get more information, but there is no consensus about reliable sources of security information. MozFest and ThingsCon were consistently mentioned as places where professionals expect to get information about privacy-preserving technology, but there is still a need for more specific, actionable recommendations that developers can deploy immediately. Stackoverflow, a knowledge-sharing website that is popular among developers, was mentioned as a useful resource for some questions but viewed as unreliable for security information.

“What’s the problem with using a Raspberry Pi to get a cat to come to a web cam?”

One of the most evocative stories during our MozFest workshop was a developer whose colleague programmed a Raspberry Pi to move a mechanical arm and make a rattling noise that would summon his cat to a home video camera. This participant scoffed at the possibility that his home was vulnerable because he had not programmed any security into his device. To the colleague, this Raspberry Pi hack was a bit of harmless fun. It didn’t occur to him that his program could be manipulated by a third party either to gather private data about his home devices or to become part of a botnet that would harm other parts of the internet. When challenged about these security risks, he retorted, “it’s just scaremongering by people who want your money.”

“It’s just scaremongering by people who want your money.”

The colleague made a fair point. Both consumers and developers question the value of privacy due to the assumption that companies manufactured concerns to increase sales of security products. For years, marketing teams told consumers that antivirus products were essential for their computers. However, research reports such as Google’s comparison of experts’ and novices’ behavior for online safety showed that experts don’t consider antivirus protection to be an important element of security. Those kinds of mixed messages can make people distrustful.

Conclusion: Building professional knowledge

There is a lot of commercial hype about IoT applications (brilliantly skewered by the Internet of Shit Twitter account). Developers who want to build their professional reputations intensify the hype in their eagerness to master new frameworks and APIs. From their vantage point, privacy advocates bring an unwelcoming message that quashes good-natured enthusiasm for building new things. However, no one doubts that IoT devices can benefit society in many ways (i.e., saving energy and conserving natural resources). The challenge for people who care about an ethical IoT is to support developers in building things they want to build by incorporating security practices into their workflows.

Simply Secure’s initial research indicates that developers can be skeptical of security claims and unsure where to go for accurate technical advice. At Simply Secure, we want to distribute open resources to help developers do their best work while preserving privacy for IoT applications and beyond. If you’re working on an IoT project, use our Trustworthy IoT toolkit to build awareness with your colleagues about security.