How Scared Should I Be of the Internet of Things?

When I think of the term internet of things (IOT), I think of Kevin Spacey as the Jeeves-like computer system GERTY from the 2009 movie Moon: an all-in-one computer that controls my whole house, meaning it can be both an omniscient butler and a best friend. Unfortunately, for the time being, the IOT is really just a bunch of WiFi enabled household appliances, and recent headlines have made them a nightmare for paranoid people like me.

Connecting appliances like, say, my aquarium to the internet, so I can theoretically rescue my fish from under-salted water in Los Angeles while I stand on the Great Wall of China, all sounds like a cool idea, but the proliferation of smart appliances may have drawbacks. It seems that voice-activated home assistants like Amazon’s Echo are able to violate users’ privacy in new and exciting ways. And meanwhile, according to one of my colleagues at Motherboard, highjacking internet-enabled devices is the latest fad for un-creative, dilettante hackers who want to build their very own robot armies and attack their enemies by overwhelming their servers with too much traffic.

Videos by VICE

According to Justin Cappos, computer scientist at New York University’s Tandon School of Engineering, potentially hackable IOT devices are an untamed frontier. Manufacturers typically don’t tell consumers what security measures, if any, their devices have been equipped with, so experts have to perform “teardowns,” in which they dissect these devices to find out answers. “We basically have to spend months actually going in and figuring out what they did in their device, in a very painstaking, manual way,” he told me, adding “the teardowns people have done have not been very promising.”

Among common vulnerabilities Cappos cited were developer passwords, usable by anyone who knows them, that allow a backdoor into the device. Often these are as stupidly easy to guess as “password” or “12345.” Then, on the off chance a smart appliance encrypts your private data, Cappos said product designers “use very poor encryption that’s trivial to break, or they just have a really bad security design that they didn’t really think about.”

Cappos thinks a certification process not unlike the one the FDA has for food would go a long way toward improving his confidence in IOT devices, and certifications are plausible, given that Tom Wheeler, the current Federal Communications Commission (FCC) chairman, has actually signaled his interest in exploring such a certification process. But the FCC is about to have a new boss—a dude named Trump—who says he’s really, really not into regulating businesses.

And if IOT device owners are vulnerable to hacks, what’s the worst that can happen, apart from your smart-stuff being drafted into a “zombie army” by an internet evildoer, and DDoSing an unsuspecting blogger? Cappos told me to imagine anything I worry might go wrong with one of my existing appliances when I’m not home, and then imagine that someone can make that happen on purpose. Personally, I worry about leaving my oven on, or having my electronic dog feeder freak out and starve my dog. If those were all IOT devices, they’d be vulnerable not just to my own forgetfulness, but to the malice of my many enemies.

Then there’s Amazon’s Echo—an intelligent plastic cylinder that sits in your house and misunderstands things in hilarious ways (and also is supposed to answer your questions and stuff). Echo is an example of a new brand of full-time, internet-enabled presences in our lives who know what we’re up to when we’re at home. “Privacy in the internet of things is more complicated than current online privacy in the sense that you are usually aware—or at least [complicit] in—the collection of data,” according to Peter Asaro, a science and technology philosopher at the New School who studies the implications of smart buildings.

So the Echo is shaping up to be one of those new devices that comes with a lot of dystopian worst-case scenarios that we inevitably dismiss and just buy the thing anyway. In particular, it has this questionable habit of analyzing every single word you say in the hopes you’ll use the word “Alexa,”and sending your voice queries to Amazon, where they use them for their own purposes. “They have a great economic incentive by the way, to try to use that information, at the minimum, for marketing purposes,” said Cappos.

“You will have very little knowledge of who can access that information, and for what purposes,” Asaro told me. “Voice recognition personal assistants, for instance, already upload audio recordings to be interpreted by the manufacturer or third parties. It is very unclear how long such data is retained, or how else it may be used.”

But some of those unanticipated uses have already become clear. As part of a murder investigation, certain Amazon Echo voice data is already being mined for evidence in a criminal court case. The idea of a household appliance snitching on you is slightly troubling if you’re a stickler for privacy, or just don’t like being prosecuted for stuff.

But future uses and abuses of this kind of data could be more subtly insidious. Cappos told me that some day, if I buy a smart device that knows what I eat, like a refrigerator, and I don’t keep a close eye on who can access my data, it might get sold to someone with an interest in knowing my midnight snacking habits. “You can easily imagine that this information might also be used to influence your health insurance premiums, and even your employer who goes and does a background check on you,” he said.

So should I ever let the internet into any of my things? Maybe, Cappos said. Cappos, who avoids all technological intrusions into his personal space if he possibly can, told me he owns a camera-equipped smart device: Kinect for his XBox One. His enjoyment in using it outweighs the risk, and he takes extra precautions by keeping his Kinect unplugged when he’s not using it. This is the approach he recommends: If a smart device is going to make a difference in your life, then “it makes a lot of sense to make that leap,” he told me.

But he added, “If you just think it’s cool to [say to] people who come over, ‘Look! I can change how cold my freezer is from my phone!’ then is it really worth the potential for someone to go and break in and thaw all the stuff in your freezer?”

Final Verdict: How Scared Should I Be of the Internet of Things?

2/5: Taking Normal Precautions

Follow Mike Pearl on Twitter.