Sure, encrypt your email – while your shiny IoT toothbrush spies on you

Harvard's internet arm frets about gizmo security

Analysis The increasingly noisy debate over encryption is nothing to worry about, eggheads at Harvard have announced today: it's your toothbrush you need to worry about.

In a 37-page paper titled Don't Panic: Making Progress on the 'Going Dark' Debate [PDF], a team from the Berkman Center has summarized discussions between themselves, security experts, and a number of unnamed people from the US intelligence community.

The goal of the discussions was to bridge the gap that has opened up between law enforcement and politicians – who have been asking for backdoors in software products and access to encrypted information – and tech companies and security bods, who have been arguing that strong encryption is critical for our digital future.

The end result is a very readable summary of the current situation with respect to encryption and why the FBI feels end-to-end encryption is a danger. Ultimately though, beyond producing a useful article for Wikipedia, the paper boils down to two things:

  1. The Feds shouldn't worry too much about encryption because it's not in tech companies' financial interests to provide it, and
  2. Whatever evidence is lost from the end-to-end encryption of, say, text messages will be more than made up with the expansion of Internet of Things products that have horrible security.

The first point: "First, many companies' business models rely on access to user data. Second, products are increasingly being offered as services, and architectures have become more centralized through cloud computing and data centers."

So because it's not in companies' interests to do so, they won't create truly secure end-to-end encryption for everything. Which means eavesdroppers will still, somewhere along the line, have access to sensitive stuff like encryption keys: law enforcement can get a court order (or otherwise pressure the corporation) to hand over the necessary information or cough up the knowhow to successfully wiretap internet-connected gadgets.

The paper notes two additional elements in favor of this argument: one, fully secure encryption is technically complex and can have a performance hit on low-end devices, and; two, the ecosystem of electronic devices is so broad that it is a pain to introduce a system that will provide trustworthy end-to-end encryption.

We can see you

As to the second, scarier point: the internet of things super-surveillance net.

The paper has this to say: "The Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we are just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance."

The paper uses recent examples, including the Samsung TV, the listening Barbie dolls, and Amazon's Echo. It also makes reference to an interesting case back in 2001 when the FBI tried to get a car company to use its roadside assistance service to record conversations in a vehicle. The company took the matter to the US Court of Appeals, which shot the FBI's case down but, according to the Berkman Center, not on surveillance grounds. By extension, it says that it is possible your car could act as a bug against you so long as your car's security features aren't impacted.

For some reason however, the paper doesn't then point to the high-profile recent cases of cars being hacked.

It's not just cars though: "Appliances and products ranging from televisions and toasters to bed sheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables are being packed with sensors and wireless connectivity."

The argument is that this wealth of devices is going to provide intelligence services with the ability to track and listen in to people far beyond what they can do now. Hence: let's not worry about encryption – your kitchens and bathrooms are being bugged anyway.

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022