It seems like everyone wants to talk about smart devices these days. Since Google bought Nest, an explosion of discussion about the Internet of Things has sprung up, centering on conversations about privacy and security. The fact that this debate has been started by Google of all companies, the proverbial good guy in the fight for enterprise stewardship and good intentions is somewhat ironic, but the real irony is that we are having this conversation at all. These devices have been available for ages. It’s the media fuelling the debate, they’ve practically designed it to fill the dead air between 2013 best of lists and the olympics. There are so many other things that we do where we haplessly give away information that is far more dangerous than the threat of some bored kid turning your heat up or down. Or is there?
In the space of things “bigger than a watch but smaller than a refrigerator” to be afraid of I want to talk about an example most people wouldn’t include : those quaint little family stickers you put on the back of your people mover.
Consider the Family Set. We’ve all seen them – Dad in a baseball hat, bat in hand, Mom with a briefcase, wearing a power suit, Little Jimmy as a mini-me version of dad, little suzi with her violin, and maybe Furry Purry the cat. Aww. It’s so cute. The thing is you’ve given away everything that someone needs to do real harm to you and your family. With some careful inferences and something that psychics use called the Barnum effect, I can commit some very large hacks against your family.
1) Dad likes Baseball – I can infer he likely plays or is on a team
2) Little Jimmy likes ball too – Dad probably put him on a team, and maybe he even coaches
3) Mom is a professional – she likely works pretty long hours
4) Dual income? 2 Kids? Middle class family
5) Little suzy and her violin – with Baseball, work and music lessons, this is a busy family, spending lots of time away from home
6) Cat but no dog? No one home and no one to bark when I break the window
7) Thanks to your ultimate vehicle tattoo – I can now recognize your vehicle on the street, in the parking lot at the mall, and at your place of work. Maybe I even recognize you at the school where you drop of the kids. Wherever I find you, I can track you now. I can follow you home. I can read your mail. Now I know your name.
This is where things get really scary if you aren’t already. There are any number of scenarios that someone can use this information to perpetrate a social engineering hack against you.
Aunt Wiki tells us “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.”
Let’s say I intend to use this information to break into your house. How many of you give your keys to a neighbour? Possibily many of you. What would happen if, lets say in the middle of the day in the summer I started knocking on doors with the following story
“Oh hi! I’m a friend of Jerry and Dawn’s. Jerry got held up coaching his sons little league game and Dawn is out at music lesson’s with their daughter. They asked me to come check on the cat and said you would have a key? Have I got the right place? ”
There are a couple of things going on here –
1) I’m using personal information that it is assumed only someone in the inner circle would know
2) I’m deflecting my true purpose – I’ve asked if I have the correct location, not if I could have the key. I’ve inferred that getting the key will be no problem. Instead, I’m putting your neighbour off centre by asking them to corroborate a different question. This achieves both the psychological destabilizing and soliciting info about whether this is the neighbour with the key, or if one exists. From there, I repeat till I have the key, and … well you can see where this is going.
I got all this with a sticker. Google wants to collect much more specific information about you , including whether or not you are currently at home, when you are typically away and when you get back. Each of us will have to weigh the pros and cons of convenience against privacy. Just don’t get lulled into the false sense of security given just because someone wrote “Don’t be evil” in the business plan…