As the founder of Digijaks, I am also a member of the California Cyber Security Task Force, and also a subject matter expert on cyber security to US Government agencies. We are constantly both advising before, and after incidents about how to make changes to security postures in an ever changing world. I have been writing about the dangers of IoT for a few years now, and unfortunately neither the outage yesterday or the Krebs/Akamai attacks came as any surprise.
#IoT has been heralded as a transformative set of technological advances.
But it is not.
It is really just a collection of devices that have shared components from basically one manufacturer. See what Brian Krebs had to say on the Mirai attacks, (he was attacked a few months prior, along with Akamai in a similar attack.)
But most IoT devices do not provide any real security, and many are simply copies off other IoT devices that also have no security. Then you have to add in the problem of the unsecured devices talking and sending your data to other non secure devices and or third party companies.
So about one year ago, I wrote this in the Huffington Post:
The disruption has to be the switch from rush to market with little to no thought about security —- to one where security is built in from the design level up and where devices are not put on the market without first being hack tested every which way to be able to prove their security credentials. Otherwise, we are all simply at very real risk. In part because of the inattention or even stupidity of others who do not think this is important; or in the rush to market skip cyber security completely — or just write a lame #fail marketing statement about how they value your security.
The Internet of Things, or IOT as it is called in the media, by analysts and techies alike is an amorphous concept and does not easily translate into everyday speak for the average person.
There are #cybersecurity concerns with the overlapping inter-connectedness that are growing exponentially by the month; as more and more devices come on line, get connected to the Internet. Many if not most have little to zero security protocols built in.
There is no current “IOT cybersecurity standard” or anything close. As a result, the apps and tools that seemingly make your life so easy, are in most probability leaking, if not pouring personal information about you or your family onto the internet in ways you may or may not be aware of.
So some thoughts/questions for the average person who does not have a cyber security staff or adviser near by:
- Does everything have to be connected to everything and what happens with a point of failure or with multiple points? Does your fridge really need to talk to the toaster, and both to the internet?
- Even if you want to track your whole life, does it need tracking?
- Does the good of the device in your life outweigh the bad of the cybersecurity or reputation risks?
- Do your kids’ need this tracking on them and beyond knowing where they are, do you want your kids’ information in companies with weak or zero cybersecurity protections?
- Do you want your kids’ information broadcast out to the Internet because of auto update or bot tweeting something?