Case Study: Camera Serial NumbersSeveral years ago. I developed a tool to help map images uploaded online to the cameras that took them simply by discovering that many cameras embed the serial number of the camera into an image's EXIF data. The tool was used to help recover stolen cameras, as well as to help track child pornographers by simply extracting the camera make, model, serial number and the URL of where the image was found. The utility helped police solve several crimes, all with only the serial number of a camera. One particular case tracked a stolen camera a year after it was stolen and after it had been sold twice – once on Craigslist and again on eBay.
Although you may not consider a professional camera a component of the "Internet of Things," the data these devices generate, or the fact that they are connected to devices makes them part of the ecosystem. Device IDs find themselves not just in images, but appear in log files and other "hidden" places many consumers would not think to look for identifying information.
Location, Location, Location
Of course, it isn't just serial numbers that we find in images and logs but also other types of data. One common piece of information is location, which can be identified by IP address to the city you live in to more granular fragments of data, such as the geo location embedded in images and check-ins with various social apps. I have tracked several dozen thieves using Wi-Fi location services along with other pieces of evidence, as well as extracting location data from images, log files and other sources. Many times, location data can be derived from other pieces of information, so even if you do not knowingly provide location data, it can still be determined, even when disabling geolocation on your phone or other devices.
I tracked a pair of criminals targeting various wireless stores in the Portland area, after they took photos of themselves which were backed up automatically to an encrypted backup service where I was also able to pull GPS coordinates. In the images I also saw a temporary trip permit which helped investigators even further. In this case the suspects were caught, along with four others involved in various crimes, they even recovered a stolen car.
So, although I used the various pieces of data for tracking criminals, this same data exists for everyone. Criminals, hackers and marketers alike can leverage this data to learn more about you than you may think. If we add data breaches to the mix where hackers have access to more in-depth information, including credit card numbers, credit reports, medical information, phone/data backups and other sensitive data, we have an even more dangerous situation.
Securing the Infrastructure of Things
As we delve into the Internet of Things, where everything is connected, the advice I gave at AppSec this year, was for developers to stop blindly collecting data and only collect the data that you need and nothing more. If you need to store data, can it be encrypted and stored in such a way that not even you have access to it through the use of private keys? If so, do it.
In your risk models, make assumptions that your customers' data is compromised – what is the damage that it could cause? What information can be derived from this data? Can the data be overlayed with data from other publicly available sources or even other breaches to enrich the fidelity of individual profiles?
These are questions that are rarely asked when developing hardware and applications that we should be asking. The data you collect today may seem like it is innocuous but down the line, it could be harvested and correlated in ways you didn't imagine.
In addition to developers taking security and privacy into consideration when collecting data, companies need to take into consideration the security of the "infrastructure of things." Securing the end user endpoint is one thing, but as we have seen with a number of high-profile breaches over the past few years, the real target for hackers is the infrastructure that drives the Internet of Things. The complexity of securing these types of environments has unique challenges as many rely on cloud-based or virtual environments to provide elasticity as demand for services grow.
I will be discussing how organizations can better secure this type of infrastructure in future blog posts. If you are responsible for securing infrastructure like this, what unique challenges do you face that strays from "traditional IT"? Let us know in the comments, I would like to hear from those in the trenches.