NEW YORK — Last October, when dozens of large websites were taken down after a distributed denial of service (DDoS) attack, how many of us thought at the time that the Internet of Things (IoT) might be involved?
Apparently, it was — and those kinds of attacks aren’t going to stop, according to Ph.D. candidate (she’s studying the political philosophy of technology) and The Coming Swarm author Molly Sauter, the keynote speaker at the inaugural Hacker Connect conference.
“The IoT promises to bring us convenience, security, better understandings of ourselves and our environment — but what it actually brings is surveillance and loss of privacy and data,” said Sauter.
What’s the IoT? Sauter described it as “a combination of the deployment of sensors, automation, big data, mobile apps and cloud computation storage, attached to everyday items, processes and systems.”
The IoT includes items like:
- Nest (and other brand name) thermostats to control a home’s climate
- Smart locks to manage home entry
- Smart video cameras for additional security
- Smart footballs to track your spiral throws
- Smart egg cartons to check freshness
- Smart jars to reorder your coffee or quinoa
- Smart water bottles to track your hydration over time
- Mattress covers that turn lights off and lock doors
- Even menstrual cups with bluetooth capability
Nest might be the best-known smart home device; it started as an automated remote thermostat system. “It learns your schedule through the day, so when you’re gone it doesn’t heat your house but when you come back, it does.”
Now the Nest includes smoke, carbon monoxide and “works with Nest” related devices, like smart light bulbs and home sprinkler systems.
At the beginning of 2016, Sauter noted, a software glitch caused Nest batteries to drain — leaving users with no heat (in January), and no way to turn heat back on.
The fix was a nine-step process involving a three-hour charge cycle.
“Like most tech companies, and frankly like most companies, Nest’s terms of service (TOS) agreement — it’s worth noting that it has both terms of service and a licensing agreement — limits damages, prohibits class action lawsuits and requires all disputes to be resolved through binding arbitration in San Francisco,” explained Sauter.
Other products have similar TOS agreements “that disclaim liability and strip customers of their rights to a day in court,” she added.
So what’s the problem?
Each of these devices, Sauter pointed out, “fundamentally relies on the cloud to operate, whether to perform analysis or just as a path to other various devices.”
While many of us might think that seems very safe, indeed, Sauter had a stark reminder: “There is no cloud; it’s just someone else’s computer.”
And so, she added, “the magic of the cloud, like all magic, comes at a price.”
What’s the price? Continual transfer of data about you — your habits, speech and possessions — away from you and into a variety of third parties.
“So what?” you might be thinking. But there are significant privacy issues that emerge if you begin to follow the rabbit down its hole.
Take the smart fridge from Samsung. When you close the door, it takes a picture of everything inside your fridge. “This is so if you’re at the grocery store and you’re like, damn, I don’t know if we have eggs — I’ll check my phone from here,” said Sauter. “It’s terribly, terribly convenient.”
However, refrigerators aren’t just for food these days — some people take medication that requires refrigeration. “Does the Samsung smart fridge conform to HIPAA guidelines when taking, storing and transmitting these pictures, or is this just a giant privacy hole?”
And remember those third-party recipients of your personal information? What if your fridge and nutrition tracker is connected to your health insurance or your employer? They might not appreciate your nutrition choices.
Lack of redundancy
For technology to be safe and reliable, you need redundancy — proper technological backups to manage failures.
Do you store an extra fridge in case your fridge crashes, Sauter asked? A backup thermostat in case another bug sneaks into a Nest update?
What does IoT have to do with DDoS?
Sauter suggested a new collective noun for IoT devices — “a botnet of IoT devices” — and used it to explain the fall 2016 internet outage.
“When you type a URL into your web browser, you’re typing a human-readable URL,” she noted. But Google lives at a semi-permanent machine address. “The DNS [domain name system] translates human-readable URLs to machine-readable IPs [internet protocols].”
Some platforms rely on collecting data from all over the internet — Twitter, Facebook and other social media websites, and many more. A company called Dyn provides DNS support to many of the largest companies that require this type of distribution.
Last October, Amazon, BBC, Slack, Zillow — and dozens of other big websites — all went down because a botnet was attacking Dyn’s DNS system.
“This botnet was made of IOT devices,” explained Sauter, including closed-circuit television cameras, webcams, baby monitors, routers and a few other subcategories of devices.
Those devices combined were able to produce an estimated load of 1.2 terabytes per second — currently the largest DDoS on record.
“The ultimate interpretation of this particular situation is the DDoS is coming from inside the house,” Sauter noted.
“IoT represents a very salient and present threat to the network that those same devices run on.”
What can be done?
Consumer-grade IoT devices are becoming so prolific that if even just a portion of them were compromised, it could be disastrous, said Sauter.
The protection from botnets or other types of hacking isn’t robust enough yet, she added.
And DDOS attacks are not going to stop. “More devices are going to get smart; we’re going to keep putting more chips on more things,” predicted Sauter.
Is there anything that agents can do to help protect consumers? “Tell people not to put this shit in their homes,” Sauter advised bluntly. It’s simply not secure, even with a password-protected phone.
Have you ever lost your phone, Sauter asked? Has anyone who didn’t have your best interests at heart ever had access to your phone?
Although it might not seem realistic, Sauter believes that the best way for agents to serve consumers is by cautioning them against the potential risks of making their homes smarter.
“The consumer has no real control over these devices,” she concluded.
Hacker Connect was created by and for the real estate technology community at the beginning of Inman Connect. The group includes 370 engineers, developers, designers, product managers, database architects, webmasters, and technology executives from across the real estate space.