Can Rep. Suzan DelBene keep your fridge from launching spam attacks?
Last January, a fridge was caught sending spam emails as part of a larger botnet attack: In other words, someone out there remotely accessed more than 100,000 devices, including televisions, routers, multimedia centers and at least one fridge. This person (or persons) used those devices to send more than 750,000 spam emails between December 23, 2013 and January 6, 2014.
Fast forward a year and Washington congressional Rep. Suzan DelBene, D-Medina, is on the case. DelBene, a former Microsoftee, is the co-convenor (with California Republican Darrell Issa) of a congressional caucus focused on the security of what, in the tech world, is known as the Internet of Things. Last week, she gathered a group of local Internet of Things business leaders and academics at Inrix's Kirkland headquarters to advise her on the biggest security threats and issues facing the industry.
The Internet of Things (IoT to tech enthusiasts and those who enjoy speaking in acronyms) is the concept that, beyond our laptops and desktops and iPads, there is another network of connected devices popping up across America. We now buy and install Internet-connected computers in our homes and on our bodies that monitor our exercise and energy use; that record video of our homes while we're at work; and, yes, that tell us when our fridge needs servicing.
"If the Internet of devices is in the billions," explained Eric Broderson, Impinj president and CEO, "the Internet of Things we think is in the trillions."
But there's a darker side to all of this. Someone hijacking your fridge to send mass emails about the newest Viagra supplement is almost funny. Someone hacking into a central server that stores energy information about all of its customers less so. Think about it: This hacker now knows your name, your address, and what time you tend to turn your lights and appliances on and off, in which rooms. If they've hacked into that server without being detected, they could use it to track your movements throughout your home in real time.
Now things start to look a lot scarier.
Dave McLauchlan is the CEO of Buddy.com, which analyzes data from the Internet of Things to give companies insight into how people are using their products. As he sees it, that possible security breach isn't too far off. "This is the year we're going to see the equivalent in IoT of the Target credit card breach," he told DelBene. "That will be a first and that will wake a lot of people up."
Part of the problem, apparently, is the lack of agreement about whose problem this is: Is it up to consumers to educate themselves about how each company is using their data?
"We need to bring the user into the loop and to provide security in a holistic manner," recommended Dr. Shyam Gollakota, who leads the Networks and Mobile Systems Lab at the University of Washington's Computer Science Department.
Others were less enthusiastic. "Nobody really reads the use permits that we get on our apps or when we install software," said Seeq VP of Emerging Markets Michael Risse. He was talking, of course, about the pages of legalese we're all supposed to agree to when we download new software or update the apps on our phones. Most of us click agree without even glancing at the policies these agreements lay out. We have no idea how they're going to use our personal information — and we don't have the time or energy to find out.
After the round table, he would point out that refrigerators and other connected devices don't usually even come with a user agreement.
If consumers can't be expected to keep track of it all, perhaps it should be up to Congress to shape policy that will keep consumers and their private information safe. "As policymakers, it's important that we're informed and that we keep policy up to date..," DelBene said Wednesday.
But federal policy, she admitted, is still far behind. (DelBene joked that she and Issa nearly attended a South by Southwest tech policy panel decked out with giant brick cellphones and gadgets from the year the last comprehensive national electronic communications policy was written — 1986.)
One possible solution came from Risse: A nationwide fair use policy, that would lay out what is and isn't OK for companies to do with different types of personal data.
It seemed like the best idea of the bunch, but whether or not DelBene and Issa could get it through Congress is another story.
Even a policy like that wouldn't alleviate the concerns of the more security-savvy international tech markets out there. Take Europe, for example, which isn't too happy about recent revelations that the U.S. government has had backdoors into most major tech products.
"There is not a European company that will store their data in the U.S.," McLauchlan said.
For DelBene, the trick is to start at the beginning
"We have a lot of folks who aren't as technology savvy," she said, in reference to her fellow members of Congress. "We need to make sure that everyone at least has that same set of information and education."