When will we stop blaming the victim and tell device manufacturers to step up on security?
Those connected thermostats and lightbulbs the tech world is so excited about? Well, the Federal Bureau of Investigation isn’t so sure about them. In a public service announcement issued last week the nation’s law enforcement agency warned folks that connected devices pose a risk because they open up new avenues of attack. The PSA mentions everything from lightbulbs and wearables to network connected printers (!) and fuel monitoring systems.
On one hand, I’m thrilled that the FBI is seemingly aware of the lax security many connected devices currently have and willing to step up to say something about it, but on the other I’d rather it get serious about warning device makers as opposed to scaring the citizenry. The agency’s bulletin is actually pretty modest when describing the potential threats posed by these smart device, focusing on realistic scenarios such as your home or corporate monitoring system getting hacked and letting strangers look in on you, letting criminals use your devices as part of a distributed denial of service attack, allowing criminals take over your devices to steal information that may be transmitted over such devices (mainly habits about people in the home), and finally enabling a criminal to control a device.
That last one is the most worrisome. In a consumer’s home this could allow someone to access your house if you have connected locks or garage door openers. In a corporate network the FBI notes that the last item could be used to control something like a gas pump allowing someone to fill their tank for free or overfill a tank causing a fire.
I appreciate the agency’s willingness to use a better example than the nuclear power plant one that often gets thrown around at conferences, when the people who are actually in charge of nuclear power plants have explained to me that there is no way in hell that their sensors are connected to the Internet. The FBI finishes its PSA with some suggestions for users that people in the industry have been shilling for years, such as using strong passwords and connecting only devices that need to be connected.
But instead of blaming the victim it would be nice if the agency would instead issue a PSA to the manufacturers of these devices that said something along the lines of, “Look guys, we know security isn’t really the first, or even the second thing you’re thinking about when you’re adding connectivity to these devices, and that’s a big problem. It could cause gas fires or the loss of consumer information. That’s not cool. So here are some guidelines that you need to start following to make sure we don’t come knocking after gas station owners complain that patrons can crack your connected pumps to steal gas.”
Maybe the FBI can call the Federal Trade Commission and get it involved in issuing the next PSA. That one should warn the companies making these connected devices that they need to take security seriously. Otherwise consumers are going to see these FBI bulletins and rethink that connected thermostat or door lock purchase.
By Stacey Higginbotham for Fortune Magazine