Sure, encrypt your email – while your shiny IoT toothbrush spies on you

Harvard's internet arm frets about gizmo security


FBI just wants your phone data, not your smart toaster's analytics

While the paper makes some interesting observations and provides a useful reference for the ongoing encryption debate, it does seem a little desperate to arrive at a conclusion, and so stretches the IoT analogy to, and a little beyond, its logical breaking point.

The fact is that the FBI doesn't want encryption on phones because phones provide crucial intelligence on specific individuals. It is a single device, it contains information, and it can be used to build a prosecution case.

It is hard to imagine an FBI agent picking up a phone at the scene of a crime, realizing it is running iOS 8, calling HQ, and saying: "It's all encrypted – wait! Quick, get me a feed of all the baby monitors in a two-mile radius."

The situation is different, of course, for the security services, which tend to want to track things in the background and keep tabs on people. Plus they have vastly greater resources and the authority to do things like hack toothbrushes. It's also the case that people are going to be less wary – or aware – of devices that they don't own, or which serve different functions. So in that sense, it is possible that those at the end of an investigation may reveal more than they would over a mobile phone.

Even so, the fact is that rather than work with one limited set of companies – telcos, for example – equivalent surveillance using IoT products means either hacking devices or building relationships with a significantly larger number of manufacturers.

As to the user data/advertising argument to explain why encryption won't be used very broadly: that also appears to take the assumption that mass surveillance is more useful than targeted surveillance.

Wrong metrics

There is a market for specific devices and apps that provide a high level of security, and the prices for them is coming down. When they come down to a low-enough level, a large number of the general population will value their privacy sufficiently to pay for it and then the people using them for nefarious purposes become harder to pinpoint.

Just because some companies prefer to monetize through data and so offer a lower cost to consumers, it doesn't mean that there won't be a large and expanding market for companies that do it the other way around.

What would be interesting to see is the comparative cost and availability over time of products and services that provide high levels of security, and the degree of use of those technologies.

It seems highly unlikely that the number of people carrying out criminal or illegal acts would increase with the general increase in use of technology: that would suggest technological advances drive people to perform criminal acts.

And so you are looking to keep eyes on roughly the same number of people. The difference is: they have better and cheaper tools for skirting surveillance. And no amount of hacked toothbrushes is going to compensate for that. ®


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022