Prime Factors Blog

How the Internet of Things Weakens Data Protection

Posted by Jeff Cherrington on Jul 9, 2014 12:00:00 PM

Sean Workman, the head of Prime Factors’ product support, relayed an article to me that underscores that the Internet of Things is following the same, predicable curve of any new technology. The initial rush is always to make the darn thing work, then immediately turn to figuring out how to make money from the technology created. It's only after the new product is selling and in the hands of the customers that the queasy realization occurs that some security issues have not been addressed.

This case example relates to a cool new technology LIFX that adds “smarts” to light bulbs. This means that they become something you can manage from your tablet or smartphone. This may seem like a frivolous thing, but there is really a lot of potential value. I think of two things immediately – first, how much I would appreciate being able to turn off lights in the house without having to go from room to room to hit switches. I have teenagers who frequently keep later hours than I do and, dutiful parent, I keep the porch and garage lights on to welcome them home. Happy to do that but I really hate to see those lights still burning in the middle of the next day. Second, and really more important, I just heard a survey indicates that 90% of Americans want to age in their own homes, but aren’t preparing for it. The pundit discussing this mentioned one reason is that most of us don’t know what to do to prepare, even though things like being able to control the house from a convenient location is high on the list. The Internet of Things and these LIFX light bulbs may actually be the better path to a smart home than some of the earlier attempts, and help aging Americans stay in their homes longer.

So, smart light bulbs are a great new technology but, like any IP connected system or device, there  security issues and neglecting them introduces more risk, to data privacy and personal protection. To their credit, the inventors took one necessary step toward protecting communications with the devices, integrating AES (Advanced Encryption Standard, the NIST approved strong encryption algorithm) into their firmware. Sadly, they neglected the next, crucial step of ensuring the encryption keys used with the algorithm were random and protected.

The bulbs communicate wirelessly, meaning they have to authenticate to the local WI-FI network – your home network, for example, or a network of an office or plant adopting the technology. Hackers within 30 feet of one of the bulbs can pull the passwords used to secure the connection. While AES was implemented to protect the password exchange, the encryption keys built into the firmware were static, making it easy for a hacker to decipher the payload. To their credit, the makers of the bulbs have updated their firmware to address this issue, but only after some significant volume of product is already in the wild. While the newly shipping products are now protected against this attack, those bulbs already installed are not, without a firmware update. (I get queasy every time I do a firmware update on my phone or motherboard – thinking about doing that for a light bulb boggles!) For a more expanded discussion of this situation, see Dan Goodin’s excellent recap at Ars Technica.

The moral of this story is two-fold: early adopters of new technology must be willing to accept the risks of the inevitable data security shortcomings they include, and use of strong, random encryption keys is every bit as important as the algorithm selected. Learn more about Prime Factors’ automated cryptographic key lifecycle management capabilities (now in its third major release) and the ease with which they can be integrated into your existing or new applications here, or contact us for a free thirty day fully supported trial.