The Internet of Things and Active Digital Debris

We are starting to see an exponential increase in the amount of “Digital Debris” left behind from our romps through the digital world.  This debris contains not only personal information but also now represents active systems left on in the digital cloud and Internet of Things (IoT) wilderness.  To break down how we got here, we can structure this into several different epochs:

1. From the Digital Dawn to Shared Hosting Services
2. From Shared Hosting Services to the Cloud and the Dawn of the Internet of Things
3. To the Era of the Internet of Things (IoT)

Before we characterize each of these and the impact of the emerging IoT epoch is important to differentiate between two different types of debris:

1. Passive Digital Debris - This is characterized by both the offline and online digital data that we leave behind
2. Active Digital Debris - These are the active systems, that may have personal data, but more importantly are active in the control of something physical

Passive Digital Debris. In the first epoch, for those that can remember, information was stored on punched cards that were direct descendants from Herman Hollerith’s first machines produced for the U.S. Census Bureau in the 1890’s.  These 80 column paper records then moved to digital tape and then rapidly onto hard-disk drives.  Today, much of today’s consumer passive digital debris is embodied in the hard-drive of our desktops and laptops and the solid-state storage of our smartphones and pads (and of course, in landfills along with billions of biodegrading punch cards).

Since a person or organization should know the devices it has, it is relatively easy to clean-up this passive digital debris.  For devices that have hard-drives (spinning or solid-state) one can simply remove the drives and store them safely, or physically destroy them.  However, devices such as pads have embedded and very difficult to remove flash drives.  These are generally “wiped” before the devices are discarded, given away, or sold.  Unfortunately, this is easier said than done as is it is relatively complex to actually get rid of the information stored on these devices without some care.

So far, we have explored data that just lays around in devices.  It can not be accessed until attached to system connected to a network.  However, towards the end of the first epoch we see the emergence of dedicated and shared hosting services.  These provided the ability for people to create Websites and provide data services.  With simply a credit card an account could be set-up, website developed, and data uploaded.  Over time, how many thousands of these sites exist essentially unknown by their original owner, with the data littering the Web.

In the second epoch, with hosting and Cloud computing services, the situation now gets much worse.  With easy uploads of data to Cloud storage, whether through a managed service such as iCloud or more raw directly to a Cloud service (e.g., AWS S3 & Glacier or Google Cloud Storage), this data is being uploaded at dozens of Terabytes (probably much more, but I don’t want to sound too hyperbolic) a day.  With people canceling service, forgetting about the service they bought, or passing away, this data will stick around for month, years, and perhaps for whatever is humanity’s ultimate destiny.

Of prime importance is that this passive digital debris, although it may be accessible via a network does not directly interact with the physical world.  

Active Digital Debris.  Now, in the IoT epoch, IoT devices and systems create something new: Active Digital Debris.  Active Digital Debris are ensembles of those devices and their support ecosystems that become part of the long-lived infrastructure of a structure (e.g., home, business, car, etc).  For example, take the case where there IoT thermostats, refrigerators, lighting systems, an irrigation system, a security system, and several generations of digital cameras.  The original user that installed and configured the system understands (or thinks they understand) its use.  What happens when the house is sold?  What happens if the owner is no longer available?  What happens if the owner does not remember how the systems are configured or their passwords?  In fact, without an “IoT House Inspection ” how would a new homeowner even know what is lurking in the light bulb next to her bed?

So, there are significant questions on how do IoT systems transfer from owner to owner.  What are the responsibilities of a user to clean-up their Active Digital Debris?  Without exaggeration, within a few years there will be tens or hundreds of millions active devices within the homes, cars, and businesses that are essentially running against their last set of configurations, and unknown to the people they surround.  These devices may be the next trend in Cyber crime enabling illegal surveillance of home and bringing a new dimension to stalking.  In fact, there appears to be, what maybe is the first case of IoT-based revenge, where a spurned husband used an Internet connected thermostat to wage home temperature retribution against his apparently cheating wife (see, IoT Revenge).

Finally, what is the Active Digital Debris future?  It all depends on the emerging IoT ecosystems which is going to have to at least include mechanisms for some sort of consolidated inventory control and identity management approach.  Hmm, aren't these some of the holy grail of Information Technology? How about an IoT Pest Extermination Service?

Cyber Risks: If we don't care, they don't care?

This is a follow-up to my previous posts.  In Creating Cyber Risks which discusses the pervasiveness of  computer related security risks and our headlong charge of adding to these risks.  Later, in Who is Responsible for Internet Security, I discussed the landscape of the various technical areas of potential Cyber weaknesses and who is responsible for keeping the things up-to-date.

Almost at the same time, two different articles came to my attention.  Microsoft has released released a report that tracks the trends of whether home computer users are applying good practice security measures.

There is a disturbing trend in the above graphic which shows a steep decline in the number of users that are are using the basic security capabilities of their computers and networks or keeping their applications software up-to-date.  If this is the case, what are the odds that they are keeping the more hidden elements current (e.g., device drivers, BIOS, etc.)?

Although this is disturbing, the presumption here is that the updates provided by a vendor actually improve the stability and security of an operating system or application.  However, as described in this report, Microsoft Update Quality Issues, this may not be true.  These updates are related not just to functionality improvements but also security improvements.  Pushed automatically to millions of machines at a time, these patches can cause virtually immediate new zero-day vulnerabilities that hackers are staged ready to exploit based on the known vendor path schedule.

So, we really have two problems and in each there really is no party other than the user that suffers.  If a user does not care to take best-practice measures to secure their systems, then an attack is more likely to be successful in either disabling computers or stealing information.  As discussed in Creating Cyber Risks, could enable a hacker to steal your money as well as enter your home.   Problem 1: User is responsible.

The second is that even if we do take care and score a perfect Microsoft Computing Safety Index (MCSI) score, the actual vendor provided updates can cause vulnerabilities.  Problem 2: Vendor takes no responsibility or liability - User is responsible.

So, if we don't care, will the vendors care to put our their best effort for Cyber-related issues?  And, if we do care, will marketplace embarrassment and corporate user agitation make the vendors care?

Creating Cyber-Related Risks - We are getting good at it!

There is not a day that goes by that there is not some discussion of Cyber or computer risks. For the largest part, it seems that the discussion is focused on the risk of information being hacked from government and government contractor systems. For example:

• China Hacking a Defense Contractor?
• Did China Hack Australia Spy HQ Plans?

However, risks are more than hacking. There are other risks in the use of computers that we are adding on a day-to-day basis. Examples include:

• Personal information shared both overtly and unknowingly on Social Networking sites such as Twitter, Facebook, Google+, etc.
• Use of feature-rich business productivity services such as Google Apps for business.
• Vehicle "telematics" systems such as OnStar.
• Web accessible home security and energy management systems.
• The nascent start of autonomous vehicles for consumers

Each of these risks alone are interesting, but taken together they form a comprehensive set of vulnerabilities that means an attack can come from just about anywhere in the world and strike at just about any time.

Let’s take them in order from above:

People are putting a tremendous amount of information into services such as Facebook, LinkedIn, Google+, etc. Much of this is personal information such as birthdays, home locations (current and past), education, contact information, presence and location information. These systems are now starting to include so call “two-factor” authentication to prevent unauthorized access to a person’s account - which should be a positive step in security. So, what are the risks:

• This does absolutely nothing to stop the use of the information the user has already and continues to place in the system.
• It also does not stop criminals who target and “social engineer” the user into “friending”, exposing the personal information to essentially the world.
• I’m apparently on vacation or at a restaurant or bar, so come rob my house.
• I placed enough information for the criminal to social engineer their way into other systems the victim may use. It may even be enough information to do a complete “Identity Theft” operation.

Business are moving in drive to the “Cloud”. In fact, I am writing this using Google Docs on my corporate Google Apps for Business account. The environment holds our email, calendars, selected documents, and messaging environment. Again, two-factor authentication can be used to secure access to the system, for a user or especially those that are administrators. Google constantly works to make their service more useful, attractive, and “sticky” to their customers. For example, the Google Now service, fully integrated into our employee’s smartphones (for those that use Android), searches their calendars, knows where they are, tells them when they should leave where they are to get to their next appointment, check them in for an upcoming airplane flight, as well as information based other items of interest to the employee. There are several risks again:

• Unsurprisingly, for a user that is exploiting all the features of Google Apps, a compromised account provides a treasure trove of business and personal information, as well as essentially near-real time information of their location
• Potential for access, on demand, by government investigators, such as the ominous (in my opinion) demands on Google to provide warrant-less access to customer accounts (see, Judge Tells Google To Five the FBI Customer Data)
• In fact, just one account may not be compromised as the controls put into place by the Cloud service providers are apparently not all they need to be (see, BT Moves From Cloud Provider Based on Hacking Vulnerabilities)

The evolution of remote capabilities being embedded in the common car is transforming the relationship between car owner, their car, and the car manufacturer. No longer is the car just a sale to the customer with the potential of after sale service, the sale is now one that contains a growing list of services. Enabled by virtually continuous access to 3G and soon 4G wireless, there are services that:

• Provide vehicle service information back to the manufacturer
• Provides GPS and Cell Tower information to a services provider for navigation and traffic information
• Enables a car that is reported stolen to be disabled
• Enables an owner via a smartphone or tablet to open the car’s doors, start the car, and other functions

The risks here are profound. Insider threats, backdoors in the service provider’s systems, vulnerabilities in smartphone security, means that virtually any car can be stolen, tracked, or disabled remotely. In addition, as with the use of Cloud-based business services, information on a car’s travels may be demanded from the service provider by the government. Combined with your Cloud business information, someone is always able to track where you have been, where you are, and where you are going.

The more recent “oh my goodness” is the use of Internet-based home management systems. These systems, which are now being packaged by Cable and Telecom companies, as well as the traditional home security services, not only control the whether a home’s alarm system is active or turned-off, but also the heating and cooling system, cameras, and some can even open door locks. With the convenience of a mobile App, with a few swipes or presses you are in control. Of course, so it anyone that is able to take control of your smartphone, your security account, and certainly staff at the service providers operation centers (which makes me think of where these may be located). Again, like other well publicized cases, attacks on service providers have yielded access to thousands of user accounts.

A couple of scenarios:

• You may think it is cool that you can make sure the lights are on in your house and the air conditioning is turned back on to prepare for your arrival from a long vacation, but what you may find is that the doors of the house are open and your valuables gone
• You may think that you have the privacy of your own home, but what you really have is the government, a robber, a spy on your personal or business life, doing a bit of snooping without your knowledge.

Finally, I end on talking about autonomous cars. Lately, we have been entertained in the news on how far this technology has gone. Just a decade ago, these were lumbering vehicles moving only a few miles-an-hour on a course safely tucked away from the potential to harm anything or anyone. Now, these are moving through cities and highways navigating around work zones and what would appear to be difficult driving situations. In light of the progress, the Federal Government wants States to be a bit apprehensive (see, Caution Urged in Allowing Autonomous Cars).

In this case, it probably does not take a Cyber attack to gum-up the works. With a little ingenuity, paint, signs, and fake barriers, I wonder how hard it would be to fake the car into deciding that the road is under construction and the detour leads directly through my house.  Think of the damage that a "terrorist" could do on the D.C. Capitol Beltway (all without a firearm, fertilizer, or other items normally associated with an "act of terror").

All combined, we are creating a Cyber and Computer risk environment that is all around us. It is not clear how to even begin to deal with the combination business risk, U.S. Constitutional issues, business risk, personal property risks, national security risks that may become a security whack-a-mole - especially if being directed by a foreign (or domestic) adversary for money or power.