Securing the Internet of Things

Today almost everything is connected to the internet - from your coffeemaker to your car to your thermostat. But the “Internet of Things” may not be hardwired for security. Window Snyder, computer security expert and author, joins EFF hosts Cindy Cohn and Danny O’Brien as they delve into the scary insecurities lurking in so many of our modern conveniences—and how we can change policies and tech to improve our security and safety.

Window Snyder is the founder and CEO of Thistle Technologies. She’s the former Chief Security Officer of Square, Fastly and Mozilla, and she spent five years at Apple focusing on privacy strategy and features for OS X and iOS. Window is also the co-author of Threat Modeling, a manual for security architecture analysis in software.

In this episode, Window explains why malicious hackers might be interested in getting access  to your refrigerator, doorbell, or printer. These basic household electronics can be an entry point for attackers to gain access to other sensitive devices on your network.  Some of these devices may themselves store sensitive data, like a printer or the camera in a kid’s bedroom. Unfortunately, many internet-connected devices in your home aren’t designed to be easily inspected and reviewed for inappropriate access. That means it can be hard for you to know whether they’ve been compromised.

But the answer is not forswearing all connected devices. Window approaches this problem with some optimism for the future. Software companies have learned, after an onslaught of attacks, to  prioritize security. And she covers how we can bring the lessons of software security  into the world of hardware devices. 

In this episode, we explain:

• How it was the hard costs of addressing security vulnerabilities, rather than the sharp stick of regulation, that pushed many tech companies to start prioritizing cybersecurity.
• The particular threat of devices that are no longer being updated by the companies that originally deployed them, perhaps because that product is no longer produced, or because the company has folded or been sold.
• Why we should adapt our best current systems for software security, like our processes for updating browsers and operating systems, for securing newly networked devices, like doorbells and refrigerators.
• Why committing to a year or two of security updates isn’t good enough when it comes to consumer goods like cars and medical technology.
• Why it’s important for hardware creators to build devices so that they will be able to reliably update the software without “bricking” the device.
• The challenge of covering the cost of security updates when a user only pays once for the device – and how  bundling security updates with new features can entice users to stay updated.

This podcast is supported by the Alfred P. Sloan Foundation's Program in Public Understanding of Science and Technology.

If you have any feedback on this episode, please email [email protected]. Please visit the site page at eff.org/pod203 where you’ll find resources – including links to important legal cases and research discussed in the podcast and a full transcript of the audio. 

Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower. 

This podcast is licensed Creative Commons Attribution 4.0 International, and includes the following music licensed Creative Commons Attribution 3.0 Unported by their creators: 

http://dig.ccmixter.org/files/djlang59/37792

Drops of H2O (The Filtered Water Treatment ) by J.Lang Ft: Airtone

http://dig.ccmixter.org/files/admiralbob77/59533

Warm Vacuum Tube  by Admiral Bob Ft: starfrosch

http://dig.ccmixter.org/files/mwic/58883

Xena's Kiss / Medea's Kiss by mwic

http://dig.ccmixter.org/files/airtone/59721

reCreation by airtone