This article is part of the series "Scout Brody on Creating Security Systems Usable for All". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet.
She points out that we should consider why putting a full internet stack on a new IoT device will help users as well as the benefits of bringing design thinking when creating IoT devices.
Cindy Ng: I also really liked your idea of building smart devices, IoT devices, that aren’t connected to the internet. Can you elaborate more?
Scout Brody: Yes, you know, I like to say, when I’m talking to friends and family about the internet, there are a lot of really interesting, shiny-looking gadgets out there. But as someone who has a background in doing computer security, and also someone who has a background in developing production software in the tech industry, I’m very wary of devices that might live in my home and be connected to the internet. I should say, low power devices, or smaller devices, IoT devices that might be connected to the internet.
And that’s because the landscape of security is so underdeveloped. We think about where…I like to draw a parallel between the Internet of Things today and desktop computers in the mid-90s. When desktop computers started going online in the 90s, we had all sorts of problems because the operating systems and the applications that ran on those machines were not designed to be networked. They were not designed, ultimately, with a threat model that involved an attacker trying to probe them constantly in an automated fashion from all directions. And it took the software industry, you know, a couple of decades, really, to get up to speed and to really harden those systems and craft them in a way that they would be resilient to attackers.
And I think that based on the botnet activity that we’ve seen in just the past year, it’s really obvious that a lot of the IoT systems that are around the internet full-time today, are not hardened in the way that they need to be to be resilient against automated attacks. And I think that with IoT systems, it’s even scarier than a desktop, or a laptop, or a mobile phone because of the sort of inevitable progression toward intimacy of devices.
We look at the history of computing. We started out with these mainframe devices or these massive god awful things that lived in the basement of the great universities in this country. And we progressed from those devices through mainframes and, you know, industry through personal computers and now the mobile phones. With each step, these devices have become more integrated into our lives. They have access to more of our personal data and have become ever more important to our sort of daily existence. And IoT really takes us to the next step. It brings these devices not just into our home, but into our kitchens and into our bathrooms, and into our bedrooms, and our living rooms with our children. And the data they have access to is really, frankly, scary. And the idea of exposing that data, exposing that level of intimacy, intimate interaction with our lives, to the internet without the hardening that it deserves, is just really scary. So, that’s, you know, a bit of a soapbox, but I’m just very cautious about bringing such devices into my home.
However, I see some benefits. I mean, there are certainly…I think that a lot of the devices that are being marketed today with computer smarts in them are, frankly, ridiculous. There are ways that we could, sort of, try and mediate their access or mediate a hacker’s access to them, such that they were a little less scary. One way to do that is, as you mentioned, and as we discussed before, to not have them be just online. You know, have things be networked via less powerful protocols like Bluetooth low energy, or something like that. That poses challenges when it comes to updating software or having, you know, firmware or software on a device, or having a device being able to communicate to the outside world. If we want to be able to turn our light bulb on the back porch on from our phone when we’re 100 miles away, it’s difficult. More difficult if the light bulb is only really connected to the rest of our house by Bluetooth, but it’s still possible. And I think that’s something that we need to explore.
Cindy Ng: Do you think that’s where design comes in where, okay, well, now we’ve created all these IoT devices and we haven’t incorporated privacy and security methodologies and concepts in it, but can we…it sounds like we’re scrambling to fix things…are we able to bring design thinking, a terminology that’s often used in that space, into fixing and improving how we’re connecting the device with the data with security and privacy?
Scout Brody: I think so. I mean, I think what’s happening today…the sort of, our environment we’re in now, people are saying, “Oh, I’m supposed to have smart devices. I want to ship smart devices and sell smart devices because this is a new market. And so, what I’m going to do is, I’m going to take my thermostat, and also my television, and also my light bulb, and also my refrigerator, and also my washer-dryer, and I’m going to just put a full internet stack in them and I’m going to throw them out on the big, bad, internet.” Without really stopping to think, what are the needs that actual people have in networking these devices? Like, what are the things that people actually want to be able to do with these devices? How is putting these devices online going to actually improve the lives of the people who buy them? How can we take these devices and make their increased functionality more than just a sales pitch gimmick and really turn this into something that’s useful, and usable, and advances their experience?
And I think that we, frankly, need more user research into IoT. We need to understand better what are the needs that people have in their real lives. Say, you want to make a smart fridge. How many people, you know, would benefit from a smart fridge? What are the ways that they would benefit? Who are the people that would benefit? What would that really look like? And based on the actual need, then try and figure out how to…and here’s where we sort of switched the security perspective, how do I minimize access? How do I minimize the damage that can be done if this machine is attacked while still meeting the needs that the humans actually have? Is there a way to provide the functionality that I actually know that humans want, that the human people need, without just throwing it on the internet willy-nilly.
And I think the challenge there is that, you know, we’re in an environment where IoT devices…that the environment is very competitive and everyone is trying to do, sort of, the early mover trying to get their device on the market as soon as possible. We see a lot of startups. We see a lot of companies that don’t have any security people. I know we have, sort of, one or two designers who don’t have the opportunity to really go in and do research and understand the actual needs of users. And I think, unfortunately, that’s backwards. And until that gets rectified, and you see companies both exploring what it is that people actually will benefit from, and how to provide that in a way that minimizes access, I think that I will continue to be pretty skeptical about putting such devices in my own home.
Cindy Ng: And, so we’ve spent some time talking about design concepts, and security, and merging them together. How can someone get started? How do they start looking for a UX designer? Is that something that Simply Secure, the nonprofit that you’re a part of, can you help in any way?
Scout Brody: Yeah. So, that is actually, kind of, exactly what Simply Secure has set out to do as a nonprofit organization. You know, we recognize that it’s important to have this partnership between design and security in order to come up with products that actually meet the needs of people while also keeping them secure and keeping their data protected. And so, Simply Secure works both in a sort of information sharing capacity. We try to, sort of, build a sense of community among designers who are interested in security and privacy topics as well as developers and security folks who are interested in learning more about design. We try to be sort of a community resource. We, on our blog, and our very small but slowly growing GitHub repository, try to share resources that both designers and software developers can use to try and explore and expand their understanding at the intersection of security and design.
We actually, as an organization, do ourselves what we call open research and consulting. And the idea here is that an organization, and it can be any organization, either a small nonprofit consortium organization, in which case, you know, we work with them potentially pro bono. Or, a large for-profit tech company, or a startup, in which case we would, you know, try to figure out some sort of consulting arrangement. But we work with these organizations to help them go through a design process that is simultaneously integrated with their security and privacy process as well. And since we are a nonprofit, we don’t just do, sort of, traditional consulting where we go in, do UX research and then come out, you know, with a design that will help the company. We also go through a process of open sourcing that research in such a way that it will benefit the community as a whole. And so the idea here is that by engaging with us, and sort of working with us to come up with a design or research problem…a problem that an organization is having with their software project, they will not only be solving their problem but also be contributing to the community and the advancements of this work as a whole.