IoT Convenience vs. Security: Your Role

[From the last episode: we saw how updates work best when they allow rollbacks if something goes wrong during the update.]

[This post has been updated at the end.]

Nest is one of the more prominent brand names in the smart-home world. As the Washington Post reports, it turns out that the Nest isn’t that hard to hack. It’s not that it’s intentionally easy to hack; it’s just that making it more secure would be inconvenient for us users.

This raises an important issue that we shouldn’t omit in any discussion of securityRefers to whether or not IoT devices or data are protected from unauthorized viewers.: what is our role, as IoTThe Internet of Things. A broad term covering many different applications where "things"  are interconnected through the internet. device owners, in security? After all, the things we’ve been talking about so far all happen quietly inside the devices, without our knowledge or involvement. But there’s another layer to security, and that layer features us.

What’s a Good Password?

Honestly, what we’re going to talk about now isn’t specific only to the IoT. It applies to anything we do online. And the short answer might be summed up with “good passwords.” Oh, but were it only so simple.

If you listen to information technology (IT) security specialists and the advice they have given over the years, a good password can be created as follows:

• It should involve lots of characters (including “special” characters).
• The characters should be random.
• You should use a different password – completely different – for every account.
• You should change your passwords regularly.
• You should never, ever, write your passwords down.

Of course, we all know this is a ridiculous list. How many passwords do we have out there? Hundreds, possibly. And we’re supposed to keep mental track of hundreds of passwords that look something like, “tY46opDpDVDA!q%mf3)kp” that change regularly, and do it in our heads?? Absurd.

Many browsers and computers have password-storing features, and these can be helpful. But… ever change your computer? Yeah, now you need to start all over with the password storage, and if that’s all you relied on to keep track of your passwords, you’re hosed. So, of course, we don’t do that. We violate those rules in one or more ways.

What’s the Worst Password?

That said, many of us do the absolute minimum – nothing, and malwareSoftware that usually finds its way into a computer or phone or IoT device without the knowledge or approval of the device's owner. It's malware when the intended purpose of the software is to cause some kind of harm. like Mirai have exploited our tendency to leave default passwords in place. We aren’t allowed to do that with new websites when we’re registering; we have to create a password.

But with devices like modemsA piece of network equipment that converts data into a format that can be transmitted. Old modems sent the data on a phone line; modern cable modems send the data across a cable connection. It stands for "modulator/demodulator." and routersAn electronic box that helps steer data on a network. For instance, you may have one in your home connecting your phone and computer and other devices to each other and to the internet. The data itself has information about where it's being sent; the router uses that information to send it in the right direction. At a really basic level, you can think of a router and a switch as being the same thing. If you want to get more technical, a switch creates a local subnetwork, and the router connects multiple subnetworks (or multiple networks). and IoT devices, things are different. The box comes with a default password, and, unless we change it, it remains – and it’s the same as what many of our neighbors use, since they probably left it alone too. The least we can do is change the default password. There’s now a push to “force” users to set a new password before they can use a device.

Other Security Boosters

There are other ways besides passwords that companies try to make sure that you’re really you. One of them uses two completely different ways of confirming your identity. You might log in using your password, but then, before they let you in, they text you a code that you have to enter. The idea here is that a hackerA misused, but common term for an unauthorized person trying to break into a device or network. Originally, in this context, "hackers" referred to the good guys (or "white hats"), while "crackers" were the bad guys (black hats). may get your password, but it’s much less likely that they’ll have your phone (and the unlock code for the phone if they actually do have it).

This isn’t so bad, usually. But it can be extremely inconvenient in some cases. Where I live, for instance, there’s no cell serviceWe are used to purchasing products outright. "Services" is a new concept where you may or may not buy the product, but optional or mandatory services come with the product. Those services may have an ongoing cost separate from the purchase price.. We have WiFiA common type of wireless network used to connect computers and phones to each other and the internet. and internet, but if your phone can’t use WiFi in the absence of cell service, then, when you log into a site, you have to quick drive out to find cell service to get the code and then rush back to enter it in (since there’s usually a time limit). Yes, this has happened.

Other systemsThis is a very generic term for any collection of components that, all together, can do something. Systems can be built from subsystems. Examples are your cell phone; your computer; the radio in your car; anything that seems like a "whole." rely on so-called challenge questions. The idea is that they pose questions, the answers to which only you would know. But, first of all, the questions tend to be inane. “What’s your favorite book?” What, like I have one favorite book that I had read by the time I registered on my first website and it will never change for the rest of my life? Really?? I usually can find a question or two to which there will be one answer that I will always remember, but there have been sites where none of the questions was useful.

And then there was the bank that, when you pretty much wanted to do anything, you had to answer a challenge question. This is security theater, like the airport: it just makes everything a hassle for a miniscule increase in security.

The Takeaway

The point here isn’t for me to rant; the point is that doing things for security can be inconvenient for us. And companies like Google know it, and so they intentionally dial security back to find a reasonable tradeoff. With Nest, that tradeoff may have veered too far into convenience, making it too easy for someone to break in. I know people whose response to the possibility of getting a Nest is, “My old-fashioned thermostat works just fine; why do I want to pay a lot more for something that does the same thing but can be hackedThis can mean a couple things. A quick-and-dirty (but not elegant) trick to get something done is a hack. A computer security break-in is also a hack (because inelegant tricks are used to break in). It can be a noun or a verb ("he hacked my computer").?” OK, doing the same thing – in the long term – probably isn’t accurate, but people are aware of security issues, so device makers can’t go too easy for the sake of convenience.

It’s a tough balance, and what’s inconvenient for one person might not be an issue for another. The takeaway here, in my opinion, is that we should be willing to take some responsibility for security. Real security, that is; not security theater. And we should be willing to put up with nominal inconvenience if it’s matched with a commensurate increase in security. 100% more work on our part for a 1% increase in security doesn’t meet that standard.

But there’s also no excuse for leaving the default passwords in place.

Update 6/4/19: It’s good to see that periodicThis can be a characteristic of some signal. If the signal changes somehow, and that change repeats itself exactly over time, over and over - like a sine wave - then the signal is said to be periodic. The amount of time it takes for the signal to repeat itself is called the "period." changes in passwords, recommended on many sites, is now out of favor — now also by Microsoft, per this article.