A few months ago I was privileged to sit on a panel at an Internet of Things conference with representatives of such luminary brands as Verizon, GE, and Amazon.com. The issue at hand was home automation security, and there was much lamentation and gnashing of teeth among the many vendors in the room concerning consumer apprehension over getting hacked, spied on, or otherwise digitally manhandled.
Unanimity being abhorrent to me, I naturally fell into curmudgeon mode. “Fellas, c’mon,” I averred to panelists and audience alike. “With brands like yours, all you have to do is tell the marketplace, ‘Don’t worry about security; we got you covered’ and they’ll believe you.”
The resultant acquiescent nodding of heads was a new unanimity, so I felt compelled to add, “Of course, having made such a promise, you’d bloody well better deliver.” It was a gratuitous add-on; everyone was already acutely aware of the damage to be wrought if that kind of trust was violated.
It turned out to have been a prophetic conversation. Two weeks ago the Federal Trade Commission filed a lawsuit against a major player alleging truly egregious practices that threaten consumer confidence across the entire Internet of Things.
If you take a look at the label on your router, security camera or other home automation gear, you’re very likely to see a logo for D-Link. The devices they make are in millions of homes and, because they talk to your computers, your smartphones, the Internet and each other, gadgets like these are prime targets for hackers. Breaking into one is like sneaking through a window in the Pentagon: Once you’re inside the building, it’s open season on everything inside of it. So the risks are enormous, as is the obligation to safeguard the customer.
This isn’t a theoretical risk. Last October a coordinated attack shut down the sites of such giants as Amazon, Twitter, and Netflix when they began receiving millions of simultaneous requests that overwhelmed them. Where did those requests come from? Probably from my computer. And yours. And hundreds of thousands of others that were quietly infected and then brought together as a coordinated “botnet” that launched the attack.
This was nothing new. What was new was how the malicious software got into those computers in the first place, since many of them had up-to-date security protection. Turns out that it came through cheap home security cameras manufactured by Hangzhou Xiongmai Technology in China. Weak built-in passwords were easily guessed by hackers, who used the cameras to snake their way into the homeowners’ computers.
D-Link was acutely aware of security issues like these and the attendant obligation to address them. Their advertising bragged about “Advanced Network Security,” and even the popups during the setup process made repeated assurances of safe, secure connections.
According to the FTC, they were lying. The list of vulnerabilities in D-Link devices starts with mobile app login information stored in plain text – that’s like writing your username and password on a Post-It note and slapping it on the side of your computer – and gets worse from there. The suit charges that D-Link’s claims of advanced security were not only deceptive but dangerous.
D-Link denies all of the allegations, but however that case goes, it’s not an isolated episode. The FTC has pursued a number of equally serious violations that threaten the integrity of the Internet of Things. My own feeling is that everything that’s happened so far has been small potatoes. Even the Target breach that exposed the private data of millions of its customers made barely a ripple in the collective consumer consciousness. The harm was to the banks; customers were completely covered by consumer protection regulations. And who feels sorry for banks?
But it won’t be long before there’s a catastrophe of biblical proportions. It might not be financial in nature, but could involve medical devices, power plants, automobiles, or security systems. I’m hopeful that we won’t need something breathtaking to jar us into action.
During the same panel session I referenced above, someone felt obliged to drag out the old and tired trope that “The key to security is consumer education.” This time, I didn’t bother to feign politeness but jumped down the offender’s throat with both metaphorical feet, aggressively putting forth the proposition that, when it comes to security, consumer education is about the dumbest approach imaginable. To see why, take this little quiz:
1. Do your passwords to various websites look more like this (^*!&kjhadjk*nyurk*%&) or like this (password1234)?
2. When was the last time you changed your passwords without being forced to?
I rest my case.
Note: I’ll be chairing a panel on the critical role of technical support in the Internet of Things at the IoT Evolution Expo in Ft. Lauderdale on February 8. My guests will be Curt Schacker, Senior Vice President of Connected Systems at EVRYTHNG, and Warren Katz, Chief Marketing Officer at iDevices. Come join us if you can; should be a most illuminating session.
Lee Gruenfeld is a Principal with the TechPar Group in New York, a boutique consulting firm consisting exclusively of former C-level executives and "Big Four" partners. He was Vice President of Strategic Initiatives for Support.com, Senior Vice President and General Manager of a SaaS division he created for a technology company in Las Vegas, national head of professional services for computing pioneer Tymshare, and a Partner in the management consulting practice of Deloitte in New York and Los Angeles. Lee is also the award-winning author of fourteen critically-acclaimed, best-selling works of fiction and non-fiction. For more of his reports — Click Here Now.
© 2022 Newsmax. All rights reserved.