Do you really need an Internet door lock?
Please, just stop for a moment and think before you buy that next cool Internet connected gadget.
Do you really, truly need it to connect to the Internet, because that connection does not come for free?
I’m not talking about the increase in price of the gadget, the cost of bandwidth, or the cost to you when you cannot get back into your house. Rather I’m talking about the cost of securing the device over the entire lifespan of the device, year after year after year.
Each device with Internet connectivity contains a small but powerful CPU and an operating system or firmware. When a device is hacked, it may stop working and may be subverted. Either way, even tiny devices can cause considerable damage. In large numbers, they do cause havoc. This last year, over 200,000 Internet connected web cameras were hijacked to form a botnet.
A device when compromised may be able to:
- Issue hundreds of outbound Internet requests per second, every second for days on end, and cause denials of service on other sites, devices and infrastructure.
- Issue hundreds of SPAM messages per second.
- Search the local network and broader Internet for other devices to target and infect.
- Intercept, stop or modify data as it passes through the device.
- Exfiltrate private data and secrets.
- Encrypt or destroy local data and then demand a ransom for restoration.
- Join a bot army of infected devices.
- And even destroy the device itself (see Iranian centrifuges).
When we connect a device to the public Internet, we have a responsibility to all the other users and devices on the internet. If our device is hacked and subverted, the impact is often far greater than the headache it gives us.
We need to ask: Is this vendor prepared to secure, this device for its lifetime? And, are we prepared to ensure the device stays secure?
If you are not, or the vendor is not, don’t buy that cool gadget. Otherwise, you are avoiding the true cost of the device and you will be contributing to the massive security problem that we have already.
My earnest plea is for you to please, don’t buy an Internet device unless:
You really need the Internet connectivity and the device is pretty useless without it.
The device can automatically upgrade itself for the lifetime of the device.
The vendor is competent and prepared to support the device and deliver automated security updates.
The Full Cost of an Internet Device
Nuclear power sounded like a universal panacea for our energy needs in the 1950s and 60s. Over time, we learned that the full cost of nuclear power must include the cost of spent fuel storage and cleanup for more than 100,000 years. When fully factored in, the price of nuclear power suddenly looks much less attractive.
Similarly, we must factor into the price of an Internet connected device the full cost of security for the lifetime of the device. All Internet connected devices must be supported, patched and upgraded as security threats evolve. The vendor must provide this and you, the user, must demand it.
If you are a device builder, you may like to read part 2 — Do not Internet enable your device.