The Dark Side of “You Will” in the Internet of Things

Thursday, April 02, 2015

Christopher Budd

3428b21bc539312dd5e2d34078d7cd41

A big part of what makes technology exciting is the promise it holds for the future.

Back in the early 1990s, AT&T capitalized on this with their “You Will” campaign, which outlined some of the things they said “you will” be able to do in the future. (The ads are great to watch today to see what they got right, what they got wrong and just how clunky a lot of the devices they predicted are.)

We’re in another period of excitement about the future with new technology in wearables and Internet-connected devices. In the technology world, we call all this the “Internet of things” (IoT) or “Internet of Everything” (IoE) (Because, the technology world loves three letter acronyms (TLAs) so much we have to create TWO for the same thing.) Whether it’s the Apple Watch, smart home security systems or even Internet-connected refrigerators, there’s a lot of exciting potential coming with new devices that are said to make life even more convenient.

We are once again in a “you will” period.

However, between 1993-1994 when these ads (YouTube) aired and today, the world has changed in a way that gives “you will” a more sinister side with the Internet. We have to take the lessons we’ve learned from the 20+ years of connecting to the Internet and apply them when we talk about IoT. We’ve learned the power and convenience the Internet brings benefits not just you, but those who mean you harm. Not only do you have to play the “have you ever….you will” game with the benefits that IoT brings, but with the risks, too.

Here are some hypothetical examples of negative “have you ever….you will” questions based on technologies that are already available or coming soon:

  • Have you ever had someone in Central Russia connect to your toothbrush and find out when you brush your teeth and how often?
  • Have you ever had a dangerous ex know your every move and find you on a jog and threaten you?
  • Have you ever had information about the depression drugs you take posted on the Internet?
  • Have you ever received a phone call about your refrigerator sending spam to hundreds of thousands of people, and it is now being used to bring down a major news site?

You will. Or at least, you may. While these scenarios are not certain, and not necessarily probable, they are possible. However, we have to consider these risks because wearables and Internet-connected devices are taking us into a new world where the impact of security breakdowns becomes much more serious.

Two main reasons come to mind for security and privacy in the IoT era:

1. New kinds of technology are untested against the threats that the Internet will throw at them.

2. The devices are closer to our personal, physical security than anything we’ve seen or experienced before.

These points make for a potentially frightening situation. Together, they enable the possible “have you ever….you will” scenarios above.

The first point, that these are new and untested, is something we’ve seen twice before. When we connected PCs to the Internet and then smartphones, they were untested against the threats on the Internet, and we saw an explosion of security problems. Computers and smartphones now face malware, scams and malicious activity thanks to the Internet. We connected these technologies to the Internet and couldn’t anticipate what the threat environment would do to them. It took years of “battle testing” to understand what the threats would be and how to counter them. We’re still fighting this battle, sometimes winning and sometimes losing, but always fighting.

With wearables and Internet-connected devices, we have a very similar situation. Again, we’re about to connect devices to the Internet that have never been connected before, such as toothbrushes, refrigerators, cars and coffeemakers. What kinds of threats will they face? We simply don’t know because this has never been done before. Therefore, we can expect a similar sequence of events to occur.

However, the second point makes this third time much more serious. A security problem with your computer can cost time and money. A security problem with your smartphone can cost time, money and privacy. But with these new devices, a security problem can cost all three plus real risks to your or your family’s personal safety.

The reason things are different and more serious this time is because of what these devices are and what they do. They are with us all the time and gather information from our bodies, lives and families. They are assisting us now in the most intimate and vulnerable parts of our lives. Therefore, when things go wrong, they can threaten us more than any technology innovation has in the past.

This isn’t to say we’re doomed to repeat history or the worst will happen. We have an opportunity today to take steps to prevent the worst by asking smart questions, such as “what are the security protections,” “how are you going to protect me and my information” and “what’s the worst that can go wrong and what can I do to help prevent it?” All of these are the questions that consumers of tomorrow should be asking today.

In security, we raise alarms not to cause panic but to prompt action. The bright future of technology is intriguing and exciting, but we must first take responsibility for our security and privacy as to avoid any downfalls.

“Have you ever talked with a clerk from India in a virtual store about how their Internet-connected, implanted health monitor is protected against hackers and keeps your data safe?”

“You will.”

About the Author: Christopher Budd is a global threat communications manager with Trend Micro, whose focus is on communications around online security and privacy threats to help people understand in plain English the risks they face and what they can do about them. In addition, he focuses on managing crisis communications utilizing a framework and processes he helped put in place.

Prior to Trend Micro, Christopher worked as an independent consultant focused on helping clients build crisis communications frameworks for online security and privacy incidents. Christopher draws on his experience as a ten-year veteran of the Microsoft Corporation, where he oversaw and managed worldwide internal and external communications around security and privacy incidents affecting Microsoft customers. During his tenure at Microsoft, he pioneered new strategies and tactics embracing new media technologies that dramatically improved the handling of communications around incidents and helped, as he likes to say, “make awful news just bad”.

Possibly Related Articles:
10526
Vulnerabilities PDAs/Smart Phones
Hardware Software
Security AT&T Internet of Things IoT IoE Christopher Budd
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.