Monday, December 07, 2015

Child's Play: Hacking the Internet of Things


A company called VTech based in Hong Kong makes smart toys for kids.  One of their tablet products can connect to a parent's smartphone with a service called KidConnect, allowing children to send photos and text messages to their parents.  Sounds all nice and family-friendly, yes?  Well, in November the website Motherboard revealed that a hacker had managed to get into VTech's servers and download thousands of private photos, messages, passwords, and other identifying information that KidConnect users had sent and received.  This has understandably upset digital media commentator Dan Gillmor, who swears in a recent Slate article that not only he will never buy any Internet-enabled toys for children, he doesn't think anybody else should, either.  Reportedly, VTech has shut down the KidConnect service until they can do something about security.  But this incident brings up a wider question:  what dangers does the Internet of Things pose for children?

In case you've been living in a cave somewhere, the Internet of Things (IoT, for short) is the idea that in the very near future—by some measures, right now—internet connections, sensors, and the hardware and software needed to use them will be so cheap and ubiquitous that lots of everyday items will be connected to the Internet, sending and receiving data that will make great changes in our lives.  The promoters of IoT naturally hope that these changes will be for the better, and can point to examples that have done that.

This matter gets close to home for me personally, because for the last several years I have supervised electrical engineering senior design teams at my university, and several of the past and current teams have worked on projects that are IoT-related.  About four years ago, one team's project was a communications system designed to monitor electric-power consumption in the home, at a finer-grain level than just what the electric meter could sense about overall power consumption.  The idea was that if consumers have a detailed profile of their electricity usage, they can make more intelligent choices about what to turn on when.  Maybe doing the laundry late at night instead of right when you get home in the afternoon will put usage into a more favorable rate period, for example. 

As I was discussing the project with the team, it occurred to me that this information could be used for nefarious purposes.  You can tell a lot about a person if you have the kind of usage information the team was planning to measure: whether the user is home, for instance, and even what appliances are used and how often.  So I brought up this ethical issue with the team and made sure that they mentioned it in their final report. 

Since then, companies such as Freescale Semiconductor have jumped into IoT-related products and devices in a big way.  (Full disclosure:  Freescale has donated equipment and funds to the Ingram School of Engineering, where I work.)  From all I can tell, the Internet of Things is going to happen one way or another, and it behooves both engineers and the general public to give some thought to any possible downsides before something really bad happens.

Returning to the question of children and IoT, we are in a peculiar position these days.  Many children and young adults are vastly more tech-savvy than their parents, and this makes it hard for the parents to institute meaningful controls on what kids do online.  In the bad old days when the list of dangerous things in the home was mainly physical—guns, knives, poison, screwdrivers near electric outlets—it was a fairly simple matter for parents to keep toddlers out of harm's way.  But in the case of some toy that hooks up to your WiFi network, odds are that the parents are as clueless as the children regarding the privacy and security measures taken by the device's maker.  VTech itself didn't know how vulnerable its servers were until some enterprising hacker cracked into them and notified the media. 

Despite living with the Internet for close to thirty years now, we still have some things to learn about it, among which are new ways of using it that are potentially hazardous.  And children are an especially vulnerable population, as everyone agrees.  It's shortsighted to think of children always as the innocent parties in these matters too.  Some kids can be downright wicked, bullying others mercilessly.  Before we got so interconnected, a bully's sphere of influence was limited to the radius reachable by his fists, but hand a bully a smartphone with some sort of anonymous chatting app on it, and it's like putting wings on a wildcat.  His bullying sphere has instantly widened to include the entire globe, limited only by language ability and time.  And we have already seen instances in which Internet bullying has driven some vulnerable individuals to suicide.

Nobody is calling for a wholesale ban on Internet-enabled toys or anything like that.  But as I have often emphasized to my students in discussions of engineering ethics, many ethical lapses in the area of engineering can be traced to a lack of imagination.  When you are dealing with a physical structure like a bridge, it's relatively easy to calculate the maximum loads and find out how strong each member has to be for the bridge not to fall down.  But in any system that is intimately bound up with the behavior of people—especially millions of people at a time—your imagination has to anticipate the character and intentions of persons perhaps very different from you, who will twist your system around to serve their possibly sinister purposes. 

That is why privacy and security concerns need to be considered at the very beginning of any project that involves the Internet, and especially when a product is intended to be used by children.  VTech clearly did an inadequate job in this area, but they can serve as a bad example to warn future designers and users of IoT-enabled gizmos.  The craft of lockmaking is nearly as old as the craft of housebuilding, and for a good reason.  There are bad actors out there, and any time we open up a channel of communication involving a private citizen or residence, it needs to be guarded with the same care that we would extend to our own physical possessions.  Beyond mere technical ability, doing that well requires moral imagination, which should be in the toolkit of every good designer.

Sources:  The online magazine Slate carried the article "Parents: This Holiday Season, Do Not Buy Internet-Connected Toys for Your Kids" by Dan Gillmor at http://www.slate.com/blogs/future_tense/2015/12/03/internet_connected_toys_make_terrible_holiday_presents.html.  That article referenced a report at Motherboard describing the VTech hack and what the hacker found, which is at http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech.

No comments:

Post a Comment