This article was authored by Stefan Hammond, and was originally posted on telecomasia.net.
My colleague Tony Poulos documents the "IoST" (Internet of Silly Things) in his blog-posts. But as more consumer devices are connected to the IoT, it's gaining a new aura: the Internet of Creepy Things.
Consider: a global network allows individuals to rent out spare rooms for extra cash, and allows other individuals to book those rooms via a neutral platform (Airbnb). Sounds good, but like any system anywhere anytime, people figure out ways to break, corrupt or otherwise subvert the workings thereof.
The Observer reported on a hidden camera discovered by a couple renting an Airbnb room Stateside: "Rooms rented through Airbnb occupy a murky grey area between guest room and hotel room," wrote the Observer. "On the one hand, homeowners have a right to surveil their own homes with nanny-cams. On the other, a hotel guest has a guaranteed reasonable expectation of privacy in places like bedrooms and bathrooms."
Grey areas get greyer
How about launching a script on the host's Wi-Fi network to "find any Wi-Fi cameras on the network and disable them"? "The rise in popularity of cheap cameras like Google’s Nest DropCam make it easier than ever for homeowners to install basic surveillance systems," wrote Patrick Allan on lifehacker. "Fortunately, engineer and software developer Julian Oliver came up with a simple script to knock those types of cameras offline."
Unfortunately: "Oliver explains that it may be illegal to run due to changes made by the FCC [in the USA] last year...so use the script at your own risk." While other locales aren't subject to FCC rules, interfering with other devices on a Wi-Fi network you don't own is likely unethical and/or illegal.
Because Airbnb occupies a grey area between guest room and hotel room, nothing's clear-cut. The homeowner owns and operates the Wi-Fi network and can connect whatever they want to it.
It's been said that privacy is increasingly becoming a commodity: if you want it, you pay for it. That Airbnb room may be cheaper, but the pricier hotel has an existing legal framework protecting your privacy during your residence. Expect more such trade-offs as more services like Uber and Airbnb enter the cyberdrome.
What about your Wi-Fi network back home? According to an article on Ars Technica UK, IoT search engine Shodan recently launched a service that lets users easily browse vulnerable webcams: "Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on."
Dan Tentler, a security researcher specializing in webcam security, told Ars Technica UK that "he estimates there are now millions of such insecure webcams connected and easily discoverable with Shodan."
The article says this highlights the pathetic state of IoT security, and part of it is simple economics. People want cheap webcams. Hardening security on these devices adds to the cost, but...people want cheap webcams. This simple and vicious cycle means millions more unsecured webcams will pop up on Shodan – which ironically makes their paid service more valuable to snoopers.
It gets creepier.
Your computerized things talk about you behind your back
Schneier continues: "The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer. Your computerized things are talking about you behind your back, and for the most part you can't stop them -- or even learn what they're saying."
OK, so it's some startup in India, should we worry? Schneier declares that "surveillance is the business model of the Internet, and the more these companies know about the intimate details of your life, the more they can profit from it." He writes that startups like "SilverPush, 4Info, Drawbridge, Flurry, and Cross Screen Consultants, as well as the big players like Google, Facebook, and Yahoo, are all experimenting with different technologies" aimed at cross-device tracking: collating data from the various devices you own. And devices you'll own in the future, as the IoT continues to proliferate in the consumer space.
What can we do?
As Netizens, we should continue good personal security practices (use strong passwords, two-factor authentication, protect personal information, be aware of social engineering scams) and realize that much of the surveillance Schneier mentions is aimed at retail business. Expect intrusive advertising as part of the price of admission.
The IoT is happening no matter what – is that a bad thing? No. The majority of "things" on the IoT will be cheap sensors monitoring industrial processes. We need to apply good security practices on more complex devices like thermostats, TV sets, cameras, and all internet-connected devices including, of course, webcams.