Were I in charge of technology or information security for, say, China, Iran, North Korea, or Russia; yeah, I’d be looking for home-grown products where any malware or unfortunate Easter eggs were planted by my own agents, not my global adversaries.
Discussions, at least in the United States, about having products co-opted by hostile state actors have gone on for decades. As mentioned earlier, they first came to my attention with Huawei about 20 years ago. I didn’t think about it too much until the many revelations by Edward Snowden about how deeply embedded (literally and figuratively) NSA back doors were within telecommunications products and networks. Still, it was all spying, which of course every government was believed to be doing.
And thus, every networking device in our home, in our office, in our service provider network, can be and should considered as a member of a Fifth Column – a potential spy, a potential thief, a potential troublemaker that can be accessed and controlled by foreign governments who get their claws (and code) into the devices’ firmware via back-doors and hidden functionality. To be clear, these devices are becoming omnipresent, they never sleep, are always listening, and are recording and reporting back to cloud data centers where the information is correlated, analyzed, and actioned.
Hey, you can’t be too paranoid, as The Guardian revealed in its February 2016 story, “The government just admitted it will use smart home devices for spying.” The story quotes testimony by the U.S. Director of National Intelligence, James Clapper: “In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”
Around the same time, a study from the Berkman Center for Internet and Society at Harvard University went deeper into the subject with its detailed report, “Don’t Panic: Making Progress on the Going Dark Debate,” which focuses in large part on government actions to force tech companies and service providers to provide surreptitious access to devices, networks and data.
The study concludes, in part, that end-to-end encryption and other technologies for obscuring user data are unlikely to be adopted ubiquitously by tech companies due to their own economic self-interest. Therefore, “Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.”
The report continues with a real-world example: “The audio and video sensors on IoT devices will open up numerous avenues for government actors to demand access to real-time and recorded communications. A ten-year-old case involving an in automobile concierge system provides an early indication of how this might play out. The system enables the company to remotely monitor and respond to a car’s occupants through a variety of sensors and a cellular connection. At the touch of a button, a driver can speak to a representative who can provide directions or diagnose problems with the car. During the course of an investigation, the FBI sought to use the microphone in a car equipped with such a system to capture conversations taking place in the car’s cabin between two alleged senior members of organized crime.”
In other words, there are plenty of avenues for state intelligence and counterintelligence agencies to get into the IoT, and therefore, into our homes, offices, automobiles and civic infrastructure. Remember how in movies, government agents would routinely sweep their hotel rooms for bugs? That's so old school, when today you have microphones and cameras in connected cars, phones, tablets and televisions. When the next wave of connected devices include always-on and always-listening devices from Amazon and Google. Can you hear me now?