Enlarge / IoT products like Amazon Key come with a whole set of risks that consumers aren’t equipped to assess themselves. (credit: Amazon)
Every time a major Internet-connected-product is released, we keep coming back to the debate over security vs. convenience. The progression of arguments goes something like this:
One group expresses outrage/skepticism/ridicule of how this product doesn’t need to be connected to the Internet;
Another group argues how the benefits outweigh the risks and/or how the risks are overblown;
There will be news stories on both sides of the issue, and the debate soon dies down as people move on to the next thing; and
Most users are left wondering what to believe.
As a security researcher, I often wonder whether the conveniences offered by these Internet-connected-devices are worth the potential security risks.
To meaningfully understand the nuances of this ecosystem, I consciously made these devices a part of my daily life over the past year. One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks.
I pointed out the same in a recent CNN Tech article about Amazon Key, where I also said:
A simple rule of thumb here could be to visualize the best case, average case, and worst case scenarios, see how each of those affect you, and take a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.
Without knowing a user’s specific needs, this is probably as close as it gets to any sort of “useful advice” any security professional could give.
But this is still only a semi-useful platitude, because it doesn’t answer a very important question:
Read 33 remaining paragraphs