The futuristic visions promoted by Smart Metering and Smart Cities are compelling on several levels. Add into the mix an Internet connected car. As a security person it worries be how this all joins up in he home.
Am I a doom monger, or is there an issue that needs proper debate?
There are plenty of articles around the web talking about the privacy aspects, with the typical example being “the electricity company will be able to tell when you are taking a shower”. These issues are attracting healthy debate.
My concern is more about security (which leads to privacy, if you can’t secure data then you can’t ensure privacy). Here are some scenarios that concern me if the system were found to be insecure:
- A burglar could observe via the network when my property is unattended (evidence suggests this is already happening using social media). Worse, they could also check my neighbours to reduce the risk of them being spotted entering my house.
- An accidental (or malicious) remote system update (or malware) could alter system behaviour, for example turning heating down or off. In households with vulnerable people, could this lead to hypothermia (or worse).
- For the real doom mongers, could I cause electrical equipment to overheat, causing a fire – remote arson?
Where I have heard these issues discussed, I have heard phrases like: “don’t worry we use the strongest SSL encryption, with a key length used by the military”; “We have strong access control mechanisms that will prevent that” and “Our quality control procedures will filter any such issues”. Oh dear.
If we have learnt anything as a security profession it is that security is hard, and has to be designed into the whole system. I am sure the some of the people responsible for the security of Nuclear reactors will have used these sorts of claims a few years back, then Stuxnet hit. Part of the resolution to these issues has to be ensuring security analysts and architects are engaged at the start to look at the end to end system, not just elements of protocol and process.
My fear is, the only place the full system comes together is in the home, where Smart Metering, uninformed users, broadband, virus ridden PCs etc all join a mesh of home broadband, wireless networks. So who is the security analyst or architect looking after the consumers interest, the home owner is certainly not equipped to do this.
Will the various service providers consider the home owners full dilemma, I speculate they will most likely take a view that their part of the service is fine, so it is not their problem.
Are the consumer organisations up to the challenge? Certainly not yet.
Am I alone being concerned about how it all comes together in the home?