April 2017

Volume 32 Number 4

[Editor's Note]

What We Leave Behind

By Michael Desmond | April 2017

Michael DesmondIn its short history, the Internet of Things (IoT) has produced its share of drama, from the largest-ever distributed denial of service (DDoS) attack (msdn.com/magazine/mt790193) to the prospect of zombie automobiles taking orders from remote hackers (msdn.com/magazine/mt422336). Now, a recent presentation at the RSA Conference 2017 makes clear that the IoT has an ownership lifecycle problem. And once again, the auto industry is helping lead the way.

Charles Henderson leads IBM’s rather amazingly named X-Force Red, a crack team of security pros tasked with challenging and verifying the security of deployed applications, networks, hardware and workforces. In that role, Henderson is involved in research, outreach and vulnerability testing for IBM. At the RSA Conference 2017 in San Francisco, Henderson related his personal experience trading in a beloved convertible for a new car at an auto dealership. What started as a simple transaction turned into a journey of discovery, as Henderson learned that there seemed to be no straightforward way to fully remove his personal information and access rights from the connected systems on his old car.

It wasn’t for lack of trying. Henderson detailed the steps he took in returning his convertible, taking care to clear his personal information from the car’s infotainment and other systems. He performed a factory reset, wiped the Bluetooth settings and reset the garage door openers. But when he got home with the new car—a different model from the same brand and dealership of his old car—Henderson discovered something odd. The smartphone app used to locate his car and provide convenience functions like locking doors, starting the engine and beeping the horn still showed his old car right next to the new one. Figuring there must be a lag in processing the transfer, Henderson waited. And waited. And waited.

Two years later, the old convertible was still present in his smartphone app. Henderson enjoyed as much control over his old car’s systems as the current, rightful owner. Over the next two years that followed, he researched the resale of several cars back to authorized dealers across four different manufacturers, and found that in every instance the dealer failed to properly control access after the sale.

“Cars are not disposable items,” Henderson said. “Concepts of access revocation and resetting access only work if they’re intuitive to that second owner.”

The problem is only getting worse. As home smart hubs and other consumer-connected devices and appliances proliferate, the question begs: What happens to data, settings and access after you’re done with connected hardware? Right now, there’s no easy and obvious answer. Henderson pointed out that the mobile phone industry used to have this problem, with personally identifiable information (PII) like photos and contacts turning up on phones resold on the open market. To help boost the resale value of phones, vendors worked to create a consistent device reset experience.

Automobiles and really the whole universe of consumer IoT products need something similar. Henderson said the answer lies in the development and adoption of standards for clearing PII from devices, and in training users to look for and utilize factory reset functionality. And even then, it won’t be easy.

“At the B2B level we still screw up access revocation on a daily basis,” Henderson told the audience. “If we can’t do it in business, how do we expect to do it in the home? That’s a tough nut to crack.”

It certainly is. But the alternative is to leave a trail of leaky, exposed and vulnerable connected hardware in our wakes.

Michael Desmond is the Editor-in-Chief of MSDN Magazine.

Discuss this article in the MSDN Magazine forum