Thinking Security: Is My Toaster a Security Risk?
Author(s): Michael Kain, Posted on September 23rd, 2015
This is the 8th blog in a series about security and how security is about how you think.
In my last blog, I started looking into security monitoring of my house and asking the question about what I should monitor. With all of this new “Internet of Things”, do I have to worry about these new devices and how they affect the security of my house? Do I have to worry if my refrigerator remembers my midnight snacking habits? Do I have to worry if my washing machine knows that I wash colors on Thursdays? Is my Internet-connected toaster a security risk to me?
In order to answer this question – we’re going to continue to look at the security of my house using the same processes that we use to understand the security of a computer datacenter. We need to gather as much SECURITY INTELLIGENCE on each item and how it works in order to understand how it affects the security of the greater environment. Again, it’s how we THINK about security that’s going to help us understand the security of the overall environment.
Some questions that I’m asking myself about my new Internet-connected toaster (there are many more):
- How does the toaster communicate with the objects around it? Does it try to connect to everything and then figure out what type of object it is? Do other objects connect to it?
- Does it have to “log in” to each object (or from that object to my cool new toaster)? Is that information saved and secured? Does that information travel in user readable form (what I called “cleartext”)?
- Does the toaster check for updates periodically with the manufacturer’s website? How does it validate that the updates are not tampered with and are from the right manufacturer?
- Is the toaster examining what types of bread that I toast and uploading that information to the manufacturer’s website (or the bread company’s)? Does it save this information? How?
- Does it secretly have a microphone and is listening to my morning and midnight conversations? Even though that feature is not listed on the box?
- Do I have to put my thumb on the handle to enable the toaster (so it’s making sure that I’m a valid user)?
- Does it handle errors correctly (for example, if I put a French croissant in it), does it flash a red light and I have to unplug it and then turn it back on?
These questions and those like them, are to uncover the nature of each device. If I know how these devices THINK about security, then I can understand how they contribute (or not) to the overall security of my environment. And the last question starts to think of my toaster as a mission-critical appliance – can it be disabled through a normal operation? So how, through my security intelligence, can I decide which appliances in my house are the most mission-critical? Is it my smartphone? Refrigerator? Toaster?
So, which appliance in my new “internet of things” house is the most suspect? Which one has the most information that I need to secure? It all comes from thinking about the security of my house as individual objects and how they interact and knowing the security intelligence of each object. The overall security of the system is directly connected to the security of each object and how they interact. Again, it comes down how we THINK about security, whether we’re talking about an Internet-connected toaster or a computer datacenter.