Open Security Letter to Companies Deploying IOT or Wireless Tech

Published: January 18, 2017 at 11:19 PM EST
Updated: January 18, 2017 at 11:19 PM EST
Updated: March 3rd, 2017 at 02:42 PM EST
— Added this article to some more categories.  Added RSS links at the bottom.

This is a sanitized version of a letter I sent to one of my utility companies.  It’s applicable to any company deploying IOT or wireless technology, so I decided to post it on the blog.

Hello,

My name is Ron.  I’m one of your utility customers.  I’m also a blogger in the fields of technology and security and I have a BS-EET degree.  I’ve been studying computer security at the prosumer level for about 10 years.  I got your email from your mailing list about your smart thermostat program.  I don’t know anything about the program, but I felt it necessary to send this to you.  Please forward this to upper management and IT security.

Your management needs to be aware of the potential security issues relating to IOT (Internet Of Things) devices.  A large portion of IOT devices are insecure and have vulnerabilities that can put the consumer and their home network, or the back end company using them, at risk.  Although I’m painting with a broad brush here, suffice it to say that IOT things ABOUND with and are OVERFLOWING with security problems.  This is not to say that all things have problems, but most do.  The manufacturers will not tell you this.  The consumers don’t know it.  Very specific steps are required during design, manufacturing, and usage to minimize the risks.  Furthermore, these devices have to be CONTINUOUSLY kept up to date with new patches and updates to protect against new attacks and vulnerabilities that the hackers discover all the time.  I’m not an expert in the deployment of systems such as those you’re rolling out.  But, I’ve studied enough to know that almost nobody is doing it right.  Doing it wrong can have severe consequences for customers and companies and allow hackers to compromise the security of the smart devices and take control of them, change their function, and alter them and hijack confidential customer data and / or operate maliciously in the customers’ homes.  Doing the back end company side wrong can cause severe data breaches where thousands, or even millions, of customer records and private data are lost.

Google search for data breach cost:

https://www.google.com/search?q=data+breach+cost&btnG=Search

IBM Data Breach Study:

http://www-03.ibm.com/security/data-breach/

This report shows that EACH record breached can cost the company involved $ 158.  So, even a small breach of 10,000 records could cost you over $ 1.5 MILLION, in addition to the damage to your reputation.

I ask you to please, PLEASE investigate these issues thoroughly for your company’s sake and your customers’ sake.  It HAS to be done right.  You need to take the attitude that it must be secure FIRST and THEN FUNCTIONAL, not the other way around.

A simple Google search for iot hack attack yields about 400,000 results:

https://www.google.com/search?q=iot+hack+attack&btnG=Search

I’ve posted a prior blog post on IOT security, which you may wish to look at:

https://techstarship.com/2016/02/18/you-yes-you-should-care-about-iot-security/

Here are links to two security experts’ blogs.  You can search for “iot” within them.

Bruce Schneier:

https://www.schneier.com/

Brian Krebs:

http://krebsonsecurity.com/

Here’s the website of an organization devoted to the safety of medical devices, automobiles, home electronics, and public infrastructure.

I Am The Cavalry:

https://www.iamthecavalry.org/

I also understand that you have been or are deploying smart meters.  You should understand that any device which communicates via radio, even if not connected to the internet, is vulnerable to similar kinds of attacks.  There have been many cases of these type of systems being compromised.

A simple Google search on smart meter hack yields over 400,000 results:

https://www.google.com/search?q=smart+meter+hack&btnG=Search

If your security people haven’t read several hundred of these reports, they definitely should.  There are also serious concerns about privacy relating to IOT devices and smart meters.  What data is the device keeping about my utility usage?  How is that available?  To whom?  Under what circumstances?  And why?

Also, I am aware of a researcher out West (in the US) named Gary Vesperman.  He’s spent decades researching alternate energy and health.  He has been doing lots of research on the potential health problems of wireless radiation, including the type used by cell phones, WiFi, and things like IOT devices and smart meters.  While I haven’t put in the time necessary to review his research, he’s compiled over 1000 pages of data on the potential (he would say actual) hazards of these devices.  He’s very adamant that the hazards are real.  A company in your position should definitely look into this when deploying this type of technology.  Below I link to his website as well as an article specifically about smart (water) meters.  As I said, I haven’t digested this material myself and cannot vouch for it’s content.  However, I thought you should know about it.  Again, the manufacturers and systems integrators won’t tell you this.

Gary Vesperman’s Website:

http://www.padrak.com/vesperman/index.html#WDEH

Smart Meter Hazards:

http://www.padrak.com/vesperman/Smart%20Water%20Meter%20Hazards%208.18.16.pdf

Thanks for your consideration of these things.  Please take them seriously.  I hope you can implement the technology while still protecting the company’s and customers’ security, privacy, and health.

You may keep up with updates to this article via the RSS feeds for the IOT category or the security category or any other category which is listed at the bottom of the article.

https://techstarship.com/category/iot/feed/

https://techstarship.com/category/security/feed/

Ron