Cyberspats on the Internet of Things

By Michael Barr

CTO and Software Expert Witness

Barr Group

April 11, 2017

Blog

Cyberspats on the Internet of Things

When you hear the words “weaponization” and “internet” in close proximity you naturally assume the subject is the use of hacks and attacks by terrorists and nation-state actors. But then comes...

When you hear the words “weaponization” and “internet” in close proximity you naturally assume the subject is the use of hacks and attacks by terrorists and nation-state actors. But then comes news about an IoT garage door startup that remotely disabled a customer’s opener in response to a negative review.

In a nutshell, a man bought the startup’s Internet-connected opener, installed it in his home, was disappointed with the quality, and wrote negative reviews on the company’s website and Amazon. In response, the company disabled his unit. In context of the explosion of Internet connections in embedded systems, this prompts several thoughts.

First and foremost, what does it mean to buy or own a product that relies for some functionality on a cloud-based server that you might not always be able to access? Is it your garage door opener or the manufacturer’s? And how much is that determined by fine print in a contract you’ll need a lawyer to follow?

Additionally, what if in this specific situation the company hadn’t made any public statements at all and had just remotely made the customer’s garage door opener less functional? There’d have then been no fodder for a news story. The company would’ve gotten it’s revenge on the customer and the customer might never have known anything except that the product wasn’t to his liking. Investigating might cost him time and money he did not have. It’s almost certainly the case that this company would have seen better business outcomes if it had quietly disabled the unit in question. And there are so many ways other insidious ways to go about it, including bricking the unit, refusing it future firmware updates, or even subtlety downgraded its functionality.

Which brings us back to the weaponization of the Internet. Consumers have no choice but to trust the makers of their products, who have complete knowledge of the hardware and software design (and maybe also the digital signatures needed to make secure firmware updates). And these companies typically have all kinds of identifying data about individual customers: name, geographic location, phone and email address, product usage history, credit card numbers, etc. So what happens when the makers of those products are unhappy with one or more customers, from those posting bad product reviews all the way up to politicians and celebrities they may dislike?

Perhaps private companies are already attacking specific customers in subtle ways. How would we know?

Barr Group co-founder and CTO Michael Barr is a former adjunct professor of electrical and computer engineering with over a decade of software design and implementation experience. Barr has been admitted as a testifying expert witness in U.S. and Canadian court cases involving issues of reverse engineering, interception of encrypted signals, patent infringement, theft of copyrighted source code, and product liability. Barr is also the author of three books and more than 60 articles and papers on embedded systems. For three and a half years Barr served as editor-in-chief of Embedded Systems Programming magazine. Barr holds B.S. and M.S. degrees in electrical engineering and has lectured in the Department of Electrical and Computer Engineering at the University of Maryland, from which he also earned an MBA.

Barr Group co-founder Michael Barr is a former adjunct professor of computer engineering with more than twenty-five years of experience in the software industry, including over a decade spent developing software for embedded systems. Mr. Barr is the author of three books and more than seventy articles and papers about embedded software design and architecture and has testified more than twenty times before judges and juries.

More from Michael

Categories
IoT