Blog: Internet Of Things
What if your fridge said “no”? What if indeed?
Whilst passing through Birmingham Airport a while back I noticed a billboard from Warwick University:
I interpreted this as a refrigerator that was smart enough to know when you should (or more accurately shouldn’t) be eating or drinking.
Which I liked the idea of, but had me thinking of the security challenges of achieving this and personal data breaches that would be encountered along the way. We’ve seen it with numerous ‘internet of things’ devices – manufacturers make their device/appliance/toy/etc ‘smart’ in an effort to steal a march over the competition. Only later (usually too late) do they realise that security is actually quite important, and their customers’ data gets splattered over the internet.
So, back to the fridge. In order to inform you about whether or not you’re allowed to eat, it is likely to need to:
- Identify you
- Identify how much you’ve eaten already
- Communicate with various online resources
- Make a decision about whether you’re allowed to eat
- Inform you of that
That would be quite handy if your personal judgement was’ impaired’ too – been out on the lash and got the munchies? Fridge says ‘no’.
And further developments to stop you pie-eating cheating might include:
- Knowing what is in the fridge
- Locking the fridge door to stop you ignoring it
- Knowing what you’ve consumed elsewhere
What could possibly go wrong?
First, identifying you: biometrics can be done securely, but the problem of revocation in the event of biometric theft has not been fully resolved. I’ve covered this elsewhere, however if the fridge is breached and your biometric data is stolen, you’ve got a whole lot more to worry about than your weight.
Next, in order to know how much you’ve eaten already, the fridge might need to make an assessment of your blood sugar level, or some other way of inspecting your metabolism. I’m no biologist, but a wearable sensor might be one way of doing this. I’m thinking of future developments of current activity monitors, or similar.
We have already seen security bugs with several of these sensors. Even if these are ironed out, you still have the problem of the users needing an account. Accounts require passwords. Users can be muppets: they set, re-use and write down their passwords.
So they do 2 factor authentication. And they do it with their mobile phones. Which have 4 digit PINs, because no-one bothers to show people how easy PINs are to crack and/or shoulder surf.
Then, the fridge needs to communicate with the sensor that the user wears. That is likely to require a web application that interfaces with a mobile application, then from the mobile to the sensor. There are so many different attack vectors here, it’s almost impossible to list. What’s the chance that the fridge firmware is completely secure and stores the credentials it needs to communicate securely?
Assuming the fridge is just calorie counting, then the decision about eating should be an easy one. But for a shared fridge that others use too? Hmm.
And then the fridge has to communicate its decision with you.
Now, I’m a reasonably fit distance runner, but I have a few spare pounds. I know how to manage my diet, but that gets regularly ignored on a night out. Come back from the pub with a couple of beers inside me and a fine case of the munchies…
The fridge won’t give me food. I can fix that:
‘Kids, can you come and open the fridge for me please’
‘Can I have a 12 inch Hawaiian pizza delivered please’
‘mmm, where’s my crowbar’
If the fridge is just making recommendations, that’s fine. But taking control of my finely-honed pie-eating skills? I don’t think so.
I’ve no issue with the concept of the internet of things, but every device we look at has security issues.
What if, rather like the issues we found with the Samsung smart fridge this fridge was vulnerable? Could we lock the consumer out of their fridge? Denial of food Service?
In the meantime, I’m going to continue with my perfectly serviceable non-smart fridge and comfort-eat my way back from the pub.