I did give a talk at „Still Hacking Anyway“ (SHA 2017), a campsite conference organized for and by hackers last week in the Netherlands. I called my talk “Best of IoT Fails“. (My sum-up of the whole event can be found here). Most of the other speakers explained at the beginning of their talk why they chose the subject they were speaking about and how they were related to it. Well, for some reason I did not do that (to be honest: I just did not think that it can be imporant for people) – but it was actually the most asked question afterwards while speaking to people. That’s why I decided it might be a good idea to explain it to you here.
I am working as a full-time journalist, being employed at the daily newspaper KURIER and the technology website futurezone.at in Austria. I have been writing about technology for at least eleven years by now, and I have watched all the major developments taking place around the internet carefully. (( And I just noticed at SHA that I am using the internet for over 20 years now on a daily basis (…. wait, what? Yes, it was 1997 for me when I got my first e-mail-adress.) )) When the „Internet of Things“ (IoT) started to rise, I was watching the developments with curiosity.
When the story started
When the first fridges sent out their spam mails in 2014, I did talk to the local people at CERT.at about their thoughts. And I got really angry when I was hearing that the vendors did not care about IT security within their products at all, just expecting that nothing will happen anyway. 2017 – not much has changed yet and I heard the same story all over and over again from many, many, many more interview partners.
For me – hearing such a story is more than just something to write down on a paper and then go home from work and get over it. I do care about what happens to our society with the change of technology and the importance of IT security. I do care, because I know it affects all of our lifes. And I do want to know the whole world about it, understand it – and then start some changes together. I do not want „Blackout“ by Marc Elsberg gets real, and if it gets real, I would at least feel better if we had a plan. Resilience.
Well, to get back to IoT. I had so many WTF moments during my work – talking to a huge vendor of lamps that started with the „digitalization“ of their business a few years ago, connecting their lamps with the internet. I was asking the CEO of this company (which will stay unnamed) about how big their IT security department is going to get after this switch to IoT and he told me that there will be one person working on the security and one on IT support. I hardly kept myself breathing after this information.
So, I hope I could explain you, why I did chose that topic. In my talk, I presented some current examples that I collected as a journalist and did write about that might sound like science fiction, but actually have already taken place. The recording of the talk can be found at: https://media.ccc.de/v/SHA2017-163-best_of_iot_fails or via YouTube.
Feedback and discussion
What did politics do so far? Not much – but they have IoT security at least on their agenda. The FCC did touch the subject in its “Cybersecurity Risk Reduction White Paper”, because it could see that „the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests“. EU vice president Ansip also told in a speech recently that „EU-wide certification and widely recognised labelling would strengthen trust and confidence in the online environment, while making sure that cybersecurity products and services are technically compatible between countries.“ (This speech does contain a lot of WTF moments as well). A lot of IT security researchers I spoke to advised that we would need clearer rules for vendors and standardisation.
What about you? What I kind of missed is, talking to YOU out there. I regret that and it is due to my lack of experience in doing talks (it was my 4th talk ever). After I finished my presentation I should have asked YOU – on the one side for more examples you might have experienced, on the other side for your suggestions for solutions. Sorry that I did not do this properly, we could have had a nice discussion… If you want to share some stories now, just post them under this blog entry or do write me an e-mail at email@example.com. If you liked the talk anyway, also please rate it in the frab.