Speaker Key: PB: Phil Brown, DW: David Whelan
PB: Hi, it’s Phil Brown, and I am here with David Whelan. Today we are going to talk about the Internet of Things.
DW: It is a funny name and I have even heard it called the Internet of Everything, and I think that describes what we are talking about. In the past, we have had client server networks. You had a PC, or a telephone, or a tablet that you connect to the Internet or to your local home network or office network, and then you would communicate or use that device to communicate with other similar devices or servers.
But now we are seeing everything being connected to the Internet. You may have received advertisements for having your home turned on so you can connect over the Internet and see if your home lights or security are turned on. You may check your baby monitor or your child at their kindergarten class over a webcam. More and more devices are now being connected either to an internal network or to the Internet itself.
PB: Right, so these are the so-called smart objects with interconnectivity built into them. It could be anything from your door lock, which is opening with a Bluetooth command from your phone, to, as you say, a baby monitor or a fire alarm, or anything like that.
DW: Yes, it is really remarkable. You can see on the one hand the convenience that you would get by having things turned on. For example, if I am on my way home from work and I have set up the oven to start my dinner, I can send a command from my phone over the Internet and have that device turn on and start cooking so that by the time I get home, if my house has not burnt down, then I can have a nice, cooked dinner. So there are really a lot of convenience factors built into this Internet of Things.
PB: Now, you have actually had an inconvenience factor in your own home: an experience with your television.
DW: Yes, it is one of those things that you wonder about what your devices are doing. In our case, and I think this is pretty common, you buy a TV that is called a smart TV. Samsung’s brand is Smart TV, but we do not have a Samsung brand. They are “smart” in that they have Wi-Fi connected, or have network connections so that you can share information from your home media server and display it on the television or use Bluetooth and connect.
What they found was that with some of these televisions, the television was actually connecting back to the servers for the television maker, and I think in this case it was LG, and so I immediately got on my network to see if my LG TV was phoning home, because what they were finding was that some of these TVs were indexing and sending back information about the media files that you shared with the TVs - that you displayed on the TV - but also they were just going through all the network resources they could find and sending back indexes of all those files, too.
So if I had photos on a server and had not shown them on the TV, they would still have been trying to send this information back to LG.
PB: Right, and that is one of the things about the Internet of Things that makes this of interest to lawyers and paralegals: the potential vulnerability to hacking, and that a lot of different points in your home now need some sort of security that you might not have considered.
DW: Right. There is a book, if you have a moment to read it, called “How Gadgets Betray Us”. It is a very interesting book because it really talks about the problems we have. There are a lot of companies who are rushing products to market that are going to be part of this Internet of Things, which means that they have server software on them, are network aware, and may be connected to the Internet over Wi-Fi. You can even buy Wi-Fi cameras and all sorts of things now; pretty much everything now can have Wi-Fi in it.
But the software that they are using is most likely going to be open source, so if they are not using a modern version of the software, it could actually already be out of date and have security holes in it. Because it is free, that reduces the cost of making it network aware, but there is not necessarily going to be any way to patch those devices once they have been purchased.
So you might be used to buying a device and putting it in your house, for example, a coffeepot that has Wi-Fi. However, two years later, if you have not updated the software of that device in the same way that you have been updating the software in your phone or laptop, there may be vulnerabilities that have been discovered since then that actually make your coffeepot be used in a way to jump over to your network-attached storage, or to your email server and then extract information that you would not want them to use.
PB: Right, and we know of a lawyer in the Toronto area who was away and someone was able to get in. They gained access to his office network through his home network, but the point of entry was his nanny cam, which was Wi-Fi enabled and not protected. They gained access to his Wi-Fi network at home, where his home computer was connected to his office computer, and they were able to jump onto his office computer through this vulnerability. When they were in the process of checking out some of his bank accounts, someone in the office happened to hear the computer buzzing and turned it off because they knew he was away, but I think that was the only thing that prevented him from having to notify a lot of clients and the Law Society to say, “Oh, by the way, we just had a whole bunch of confidential information leave the office and possibly some trust funds.”
DW: Yes, the nice thing about the Internet of Things is that you already know how to secure it. The solutions that you need are the ones that you are already using. So if you add a device to your network, e.g. your home or office network, and, in essence, anywhere that it could potentially get access to private or confidential information for your practice, it needs to have a password, and it needs to be a strong password.
So that may reduce some of the convenience factor for having whatever that device is on your network, but even if it is lights or a coffeepot, you need to make sure that you have secured it so that people cannot gain access to it without your knowledge. There is a great article by Kashmir Hill - her name starts with a K - in Forbes, and she talks about how she went in and turned lights on and off for peoples’ houses, and how the control panels for their light switches were freely available over the Net because no one had changed the default passwords for their switches.
PB: And I think this is one of the things people do not think about. You are setting up a home network, it is in your home, but you can see that network outside the home.
PB: And that is why it has to be secure. When setting up their home network from Bell or Rogers or whomever, a lot of people do not change the passwords from admin, useradmin, passwordadmin; they just leave them there because it is simple.
DW: Right, and you may be creating a device that needs to be used by more than one person, and so then, everybody can agree that the password 123456 is a great one for everyone to remember, but it is also great for the people who are trying to get access to it too. Even when you have been really careful, too, about separating your home environment (where you are more likely to find these Internet of Things devices) from your office.
If I have a computer in my home that has no practice material on it but I VPN or connect in remotely to my office, anything that has access to that computer can then do the same thing; so it is not a matter of having your home and office segmented properly, it is that if there is any connectivity between the devices on one side to the devices on the other, then there is a potential route.
PB: And perhaps as an aside in terms of Wi-Fi networks at home, you should definitely amp up the security, but it is also a good idea to activate things like approval of MAC addresses and things like that.
PB: That way, a device is not going to be able to get on your network unless you pre-approve their MAC address, and the MAC address is just the individual address that each device is assigned when it leaves the factory.
DW: Right, yes, the other thing you can do too, once you have blocked the devices by their MAC address or in some other way, you can do the same thing that you are doing with your computer, which is to have a firewall between you and the Internet. So really, only the devices that should have to connect to the Internet or be connected to the Internet should have access to that.
So if you are not already using a firewall in your Internet router in your office or in your home, and really you should have them in both places, then turn them on and look and see what kind of traffic is going by; because that is where you would see if your TV was sending things to LG and you had not been doing any surfing to LG; you can see that in the traffic logs.
The other thing you could also look at is open DNS, which we use in our house. It is a Web filter and Web security tool. It is free for home users (corporations have to pay), but this sort of thing allows you to essentially filter out sites that are known to be part of scams or other nefarious things. So even if you were not aware that your coffeepot was emailing back your credit card data to some company in a country where hackers are prevalent, you could have this DNS service that would sit between you and that service that would be doing that sort of blocking for you, that sort of prevention.
PB: Right. That is our look at the Internet of Things.
DW: Yes, be safe out there on the Internet of Things.