Why Journalists Will Ensure the Internet of Things Works
Content Fellow: Steve Masiclat
Below is the first article from Communications@Syracuse content fellow and professor Steve Masiclat. During the last 20 years, his research and teaching interests have evolved along with the digital communications field. Today he is a published researcher in the field of artificial intelligence and advises Wall Street investment firms on advanced web technologies. Communications@Syracuse offers content fellowships to lead professors and senior-level communications professionals who teach in the online program.
Three things happened recently that reminded me about the crucial role journalists and an informed press must play in modern digital life.
The first was ordinary in a 21st-century everything-is-digital kind of way. My wife and I installed our second internet of things (IoT) device in our home. We are now the proud owners of a smart doorbell.
It is one of the everyday marvels of the 21st century. This doorbell has an embedded motion sensor, video camera, microphone and speaker, an accompanying mobile app and cloud video storage. Not only does it activate my old doorbell chime, but it also plays a tone on our phones and tablets, texts me when anyone steps up on my stoop and keeps a video archive of all my visitors, whether they ring the doorbell or not.
IoT devices are convenient, and this one makes my wife feel more secure when she’s home alone. However, I know enough about how these so-called smart devices to also be deeply suspicious
As I said, this is our second device. The first was an internet-connected video camera we placed in our baby's nursery. Not long after we installed it, we received an alert from the company about a security flaw. It seems that hackers were searching the web for unsecured nursery cameras and tapping into their video streams. The initial fear was that these hackers were tech-enabled voyeurs hoping to catch a view of a nursing mother, and this highlights a fundamental vulnerability on home networks: The digital world is very complex, and the proliferation of IoT devices is increasing that complexity.
My home network is WiFi based. My family has a wireless router and several computers, phones, tablets and a small but growing number of IoT devices that connect to it. A skilled hacker could use a flaw in any one of those devices to get to all the others, and this is where things get serious.
Our finances are entirely managed over our network. So is my professional life. Mortgage payments, insurance payments, investments and my intellectual property are stored and delivered over my network. I simply can’t afford to have an IoT device that puts my household at any kind of risk.
In the case of our networked nanny-cam, the security flaw was simple to fix. We just had to ensure we changed the default login and password for the camera. Like many IoT devices, the camera shipped with a default login of “admin” and a default password of “password.”
And this isn’t even the most egregious example. Researchers at the internet security site Rapid7 documented nine exploits for a home smart lighting kit that allowed hackers to use internet-connected light bulbs to steal and store passwords. The bulbs themselves were using unencrypted and unsecure network connections. Who thinks to password-protect light bulbs?
Reading that article was the second thing that happened.
I don’t want it to seem like this lighting kit story is the exception; it’s the rule. The level of complexity required to make reliable objects that monitor and adjust their performance in real time while talking to websites, mobile apps and digital controllers is simply beyond the ability of a product engineering team to master. It turns out it’s almost impossible to invent the future while also serving the marketplace.
The third thing that happened was an alert about an operating system update for iPhones and iPads.
It seems a company called NSO Group based in Israel created an exploit to take control of an iPhone through a text message. In fact, the group created three “zero-day” exploits to hack iPhones.
A vulnerability is considered zero-day if the device or software manufacturer is unaware of it and has had zero days to build a defense against an existing code weapon.
Zero-day exploits first reached widespread awareness when people started hearing about the Stuxnet virus is summer 2010. This was a cyberweapon that targeted devices controlling Iranian nuclear centrifuges.
The story of the discovery of Stuxnet has been told in a PBS NOVA episode and a forthcoming movie. The virus (technically a self-replicating worm) contained five zero-day exploits and is considered the first cyberweapon ever used in an act of cyberwar.
Stuxnet was so complex and advanced that all of the civilian cybersecurity experts who studied it agreed it had to have been built by a well-resourced agency under the control of a nation state.
This is an alarming development because when nations engage in high-tech warfare over our interconnected internet, everyone is a target. Malicious code, like the organisms it is named after, has a way of infecting everything.
These three events took place over a sunny summer weekend, but the larger backdrop is ominous.
The emails leaked from the Democratic National Committee earlier this year were stolen in a cyberattack, and it the growing opinion is that hackers based in Russia might have used NSA-designed tools to do it.
You can’t make this stuff up.
What does this have to do with journalists? The government should be protecting us as we evolve into a cyber society, but the recent revelations about the NSA have made it clear that the government has been researching network vulnerabilities and not telling anyone, not even the manufacturers of the vulnerable devices
That seems un-American to me.
The vulnerabilities the hackers released were many and varied. They included both known and unknown (zero-day) exploits for hardware from all the major network infrastructure manufacturers. Those who have taken Applied Media Research at Newhouse will know these as OSI-Stack manufacturers.
When the government abrogates its responsibility to provide for the common (cyber) defense and promote the general welfare of the networks that power our economy, we need journalists to hold officials accountable.
We need independent and tech-savvy watchdogs looking out for citizens who think they are buying safe devices, but are actually introducing vulnerabilities to their lives—exploits their government knows about. That’s a traditional journalistic mission, and this is a story that has to be told at all levels. It’s a story that has to be told in the halls of Congress and in small towns where, one by one, citizens attach their homes and their livelihoods to an increasingly vulnerable internet.