When I was 10 years old, I took my first trip to Disney World. The futuristic rides in Tomorrow Land were my favorites. In particular, I loved “The Carousel of Progress,” which, at the time, was an attraction designed by General Electric to showcase its new technologies at the 1964 New York World’s Fair.
The song, “There’s a Great Big Beautiful Tomorrow,” played as the curtains opened. I was sure that when I was in my 30s (at the most, no doubt), my house would look like “The Future” house, which was the last act in the show. In awe, I thought I would have a house that would automate most of the cooking and a robot that would do the cleaning. I do.
My great grandfather was born in 1899 — about the time the Disney attraction’s first act begins. The characters declare “they have all they could ever need,” with their Victrola Talking Machine and horseless carriages. I remember discussions with my great grandfather about men taken to the moon on rocket ships. “No, not possible,” he would reply.
My great grandfather would be in awe of the conveniences and new technologies I have in my home today, from my Internet-controlled thermostat that I can use to heat up my home from an airport in Europe to the wireless Internet-accessible alarm and monitoring system that will send email messages to my phone when an alarm event occurs. These technologies are becoming more affordable and accessible every day. There are many open source plans for making every one of these control devices, and some have free or open source apps to run them from a smartphone. This is where I come in.
The Convenience vs. Security Trade-Off
My job is to try to “break” these convenient technologies to determine if they have security issues — and in some, that translates into safety issues. As a security vulnerability researcher, my job is to do what is called “penetration testing” to see if malicious hackers can break into things and take control of a car via its connection to the Internet, for example.
Likewise, I analyze if a particular coffee maker or refrigerator could become part of a botnet — that is, part of a controlled electronic computer army set to attack a critical infrastructure target like banking or the electrical grid. In my line of work, I have seen all of those things occur in just the past nine months.
One of things you learn well in the computer security field is that there is a trade-off between convenience and security. You can build a fortress that is very difficult for a malicious person to enter, but it will be pretty inconvenient for you to enter and exit on a daily basis, too. Of course, there is a medium ground, but akin to the Golden Mean, it is a give-and-take between security and accessibility from both ends of the spectrum.
Last year, for example, colleagues of mine in the security industry were able to access many products hooked up to the Internet of Things: cars, refrigerators, coffeemakers, smartphones. They even hacked a technology-laden toilet, creating surprising malfunctions. However, as long as we have people in the security industry testing these devices for security and safety issues, and sharing their findings in an effort to shed light on problems and stimulate patches and fixes, I am feeling cautious — but OK — about our Internet of Things future.
I am incorporating these devices into my home. When my kids need to use computers every night for homework assignments, I monitor what they are doing, but I will not prohibit them from using computers. This is true despite the bad security vulnerabilities I come across in my work. Likewise, I am not going to ditch my computer-controlled car for one from the 1980s with — at the most — a fuel injection computer and no more.
Dreams Come With Risks
However, I am cognizant of the risks and, in turn, have become vigilant in reading product reviews and keeping track in the news and recent legislation about manufacturers that have not designed their particular devices, services or products with security as a priority. As the devices we carry around with us may pose risks to our security and privacy, being a consumer who is aware of these trade-offs means that before I download an app on my phone, for example, I read what I am granting permission for it to access. This way, I mitigate my risks and vulnerabilities.
If I think that the trade-off for my privacy and security is too great and outweighs the convenience of using a particular app, I do not install it. For example, I think that some apps do not really need access to all of the contacts stored on my phone or to my GPS location. As a consumer, I can and do make those choices every day. I favor companies that emphasize their security design features — not just how awesome it is to use their product.
The Disney ride closes with the phrase, “When it becomes a reality, it’s a dream for you and me.” Agreed — reality is like a dream, and modern conveniences allow me to spend more time with my family while I have appliances doing the housework. I am aware of security and privacy risks with the Internet of Things enhanced connectivity, but I know that as long as there are people in the security research field who are finding and disclosing vulnerabilities, I can make informed choices and create an impetus for manufacturers to include security in their products and move away from the antiquated concept, “If it works, it’s done and ready for market.”
If my great grandfather were around today, perhaps seeing my house for the first time would be as if the curtains opened at an attraction at Disney World. My house does look like “The Future” house — my 10-year-old self would be amazed that it really happened like that — and for those of you who have seen the attraction, I still burn the turkey. No technology is perfect when designed and operated by imperfect humans, but we do our best.
“No, it’s not possible,” my great grandfather might say, but I would now respond, “It is, and there are many people working to make it convenient AND safe.”
There will be data breaches and failures along the way, but as long as we live in a society where we can learn from and share security and privacy protection design failures, we are progressing toward a “Great Big Beautiful Tomorrow.”