On the internet, no-one knows you’re toaster

The pop singer Gwen Stefani had a husband who was intimate with the family’s nanny. He reportedly recorded some amorous adventures on his iPhone, no doubt to act as a comfort in his later years. Unfortunately, he’d either forgotten about iCloud or couldn’t work out how to configure it correctly (as I can’t) with the dramatic consequence that the screen saver on Gwen’s iPad was transformed from a selection of treasured family snapshots into a flick book version of Pornhub.

Connecting everything on the Internet has unexpected consequences and they are getting worse. With the Economic Times estimating that there are already some 50 connected devices per household, we have a problem that is spiralling out of control.A recent real-world test of more than a million IoT devices found that almost all of the traffic they sent was unencrypted, exposing huge quantities of personal and confidential data to potential attackers, and that networks were mixing IoT devices other technology assets (laptops, desktops, mobiles etc) to create vulnerabilities on both sides.

Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster pretending to be a dog. Click To Tweet

A generation on from the famous “on the Internet nobody knows you’re a dog” cartoon that became a staple of management consultants’ presentations ever after, the situation is now far worse. Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster. Or a toaster pretending to be a dog. Or agents of a foreign power pretending to be a toaster presenting to be a dog that is intent on bringing down our online economy.  If the Internet of Things (IoT) is going to be a platform for embedded financial services, then it will needs a serious security makeover.

Specialized elements of hardware and software, connected by wires, radio waves and infrared, will be so ubiquitous that no one will notice their presence

From The Computer for the 21st Century – Scientific American

That was Mark Weiser’s prediction of the Internet of Things from 1991. It seems pretty accurate, and a pretty good description of where we are headed. This is world in which computers and (and financial services) vanish from view and are instead part of  the warp and weft of everyday life. What I’m not sure Mark could have predicted is what a total mess it all is.


Toaster and dogwith kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Whether it’s wireless kettles or children’s toys, it’s all being hacked. Adding mass market, inexpensive and insecure devices to a global network is taking us into uncharted territory when it comes to risk. I recall that, following the last massive Internet outage caused by a “botnet”, a number of commentators remarked how odd it is that a network designed to withstand nuclear war could be disrupted so badly by toasters, nanny cams and video recorders. And that seems a fair, and rather damming, point to make about the nature of our infrastructure.

If you’re wondering, by the way, a botnet is a collection of devices (computers, toasters, cameras and anything else that can reached through the interweb tubes) that have fallen under the control of some third party and can then be used in a massed and concerted fashion either for good (e.g., searching for radio signals that might indicate extraterrestrial life) or evil (e.g., overloading bank web sites so that customers can’t get through). Just to indicate the scale, a botnet “denial of service” attack against a European bank last month managed to marshall enough devices to hit the bank’s web site with 800 million requests per second, overwhelming its defences and making it impossible for the bank’s customers to access their accounts.

This does not look good for the future. Sooner or later a cyberspace Covid 3.0 will come along and then we are really in trouble. There’s no possibility of social distancing online because we’ve gone beserk connecting things up but we’ve overlooked how to disconnect them. Or, in bumper sticker form for the modern electorate, I might be tempted to paraphrase that doors are easy, locks are hard.

Anyone can connect their kettle, car or children to the Internet. And it’s tempting to do it just because it can be done. But keeping them secure? That’s another and altogether more difficult problem. If we are going to make an the IoT a platform for financial services, if we have a vision of luggage that can sort out least-cost routing and lightbulbs that can trade energy derivatives and cars that can buy their own insurance then we’re going to have to pause for breath and rethink the platform, because that toaster botnet is only the beginning.

(The toaster botnet mentioned above is a work of art. It involves the use of malicious software that wanders the highways and byways of the internet looking for devices that have been connected but do not have security defences in place. As it happens, this turns to be almost all of them. Either the password has been set to “password” or some other easily remembered — and therefore easily guessed — word, or there’s no password at all, or there’s a bug in the software than can be exploited.

This latter category is especially vexing. Suppose it turns out that my smart toilet (these do exist by the way – I have photographic evidence) has been shipped from Korea with an old version of software that the hackers can easily exploit. Now my toilet is going to need patching and then upgrading. But supposing the facilities to patch and upgrade my toilet do exist (“do not flush – upgrade in progress – download complete in 22 minutes”), how will the manufacturers persuade me to do this? What if the manufacturers have gone out of business? What if the upgrade is itself a trick designed to subvert my toilet for the amusement or profit of Eastern European hackers?

Leaving it up to consumers will not work. We cannot trust the populace to configure their smart device firewalls any more than we can we trust pop stars to configure their iCloud, so selling toasters that can be hacked (even if it is by the CIA) ought become as unthinkable as selling cars without seatbelts. The noted security expert Bruce Schneier (one of the key thinkers in this space) has rather eloquently likened IoT’s market failure (which is that I don’t care that my toaster is insecure and is bringing down your bank, and neither does the manufacturer – it’s cheap and it works) to a kind of post-industrial pollution.

(I made a podcast with Bruce around a decade ago and can tell you straight that  he has already forgotten more about computer security than I will ever learn — and is also a very nice guy. From what I know of the topic he is of course completely correct: this market failure not only means we have no real security at present, it means that things can only get worse.)

As Bruce pointed out in his excellent book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”, we are now in a situation where the lack of any security infrastructure means that anything that can be connected to the internet can be hacked. And since everything is connected to the internet, everything can be hacked.

The externality that Bruce highlights can only be fixed by society as a whole and, as unfashionable as that might be, that means regulation.  It’s time to begin a conversation about what that regulation might be, before it’s too late. California’s SB-327 that requires manufacturers to set different passwords for devices is a good example of what’s needed, but it’s only a start. As the Business Software Alliance’s recently-published principles for “Building a Secure and Trustworthy IoT” say, security policies should “incentivise” security through the IoT life cycle. That means a different mindset and its a mindset that sees the need for an infrastructure.

There is no doubt in my mind that we should prioritise innovation and experiment here because the truth is that just as financial services need identity infrastructures for people (IDs), so next-generation financial services will need identity infrastructures for IoTs (IDIoTs).

[This is an edited version of an article that first appeared on Forbes, 12th July 2020].

Posh and Blocks

While flicking through British Vogue magazine for some moisturising tips, I came across a mention of digital identity! I was surprised and delighted that (just as has happened another of my obsessions, Dungeons and Dragons) what was once the province of nerds and outsiders has become fashionable and cool. Hurrah! Vogue says that secure digital identities for luxury goods are crucial, which is great! I could not agree more. Digital identities are not only for people! I have been writing about the need for digital identities for things for many years, and not only for high fashion (a field where, oddly, I have some experience in the use of NFC applications. On mobile phones to scan designer clothes – but that’s another story).

LFW

 

Some years ago I asked if “the blockchain” (put to one side what this might mean for a moment) might be a way to tackle the issue of “ID for the Internet of Things” (#IDIoT). I said at the the time that I had a suspicion that despite some of the nonsense going on, there might be something there. My reason for thinking that is that there is a relationship between blockchain technology and IoT technology, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual. As I saw it, there were three ways to do this: a database, tamper-resistant hardware or blockchain.

If we look at the database idea first, I explored this more than a decade ago using the example of luxury goods such as watches and asking how would you tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. For example: why would Rolex care? I can’t afford a Rolex, so if I buy one at a car boot sale or in China, Rolex isn’t losing a sale. But by wearing the fake, I’m presumably advertising the desirability of a Rolex. So surely they should be happy that people want to wear fakes or not? And if I did have a real Rolex, would I want to wear it in dangerous places where expensive watches get stolen in broad daylight by muggers (eg, London, London or London) or where I might just lose it?

Anyway, regardless of the reasons for it, let’s think about how to tell the real thing from the fake thing using technology. Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

This is a critical point. The key to all of this is not the product itself but the provenance. A database of provenance (for example) is the core of a system to tell real from fake at scale.

Who should control this database, and who should have access to it, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me any about the provenance? How would they know whether I were a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might have a Bluetooth pen tag reader connected to a mobile. They could then point the pen at a bag and fire off a query: the query would have a digital signature attached (from the SIM or SE) and the Gucci savant could check that signature before processing the query. Gucci could then send a digitally signed and encrypted query to the distributor’s savant which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

The central security issue for brand protection is therefore the protection of (and access to) the provenance data, and this needs a digital identity infrastructure to work properly. If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

A small brand premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Gucci, don’t you?”. Wouldn’t you pay £20 for the satisfaction of knowing that your snooping guest’s Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real? Of course you would.

For some goods, we might want to add tamper resistant hardware to the product. I have long been interested in the use of low-cost RFID chips in this context. An example I looked at some years ago was the problem in Korea with the production of counterfeit whiskey. The authentic whiskey producers decided to add an RFID chip to the bottle caps. This chip was coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When a customer opens the bottle, the tag is broken and can no longer be read. That seems to be a cost-effective solution, although it again relies on the provenance database to make it work (otherwise the counterfeiters would just find a way steal the chips).

The mass market IoT, however, amplifier that problem of permission. I have always tried to illustrate this for people in a fun way by using the case study of underwear. It’s one thing for dinner guests to scan my wine bottle to see that it is a real Romanée-Conti and another for them to scan my Rolex to check that it is indeed a first-class far-eastern knock-off, but it’s quite another for them to be able scan my underpants and determine that they date from 1983. How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance? Once again, we must conclude that not simply digital identity but a full digital infrastructure is needed.

The third approach that I thought worth exploring was that of some form of blockchain. It seemed to me that by using the blockchain to maintain uniqueness, we might find a way to make the IoT a transactional environment. Just as you can’t copy the physical object, but you can transfer it from one owner to another, so you can’t copy a token on a shared ledger, only transfer it from one owner to another. Thus, if you can bind a token to a physical object, you can greatly reduce the cost of managing that object. Hence I was rather interested to read in that Vogue article that Luis Vuitton, Microsoft and Consensus have developed a platform called “Aura” to manage provenance to provide proof of origin and prevent counterfeits using a blockchain. The basic idea is to represent luxury goods as ERC-721 tokens on a private permissioned Quorum blockchain.

Obviously, I don’t have any details about how this will actually work, but LVMH seem to imply that at the time of purchase of one of their brands’ product, the customer can use the brand’s application to receive an “AURA certificate” containing all product information. I assume that if you sell your handbag (or whatever) to a charity shop, you can transfer the certificate to the charity shop’s application. Underlying all of this, there is the token on the blockchain moving from the retailer’s wallet, to your wallet, to the charity shop wallet.

If this works, and it’s simple and convenient for consumers, some sort of app presumably, it will generate an amazing amount of valuable data for brand owners. They will know exactly who has their stuff and how much of it they’ve got. If the app records “fails” as well, then they’ll also know who has the knock-offs too.