The Internet of Things is about to get more powerful—and potentially more dangerous.
Earlier this year, developers began rolling out the Web Bluetooth API, which is a foundational component of the evolving Web of Things, the application layer of the IoT. With Web Bluetooth, any Bluetooth Low Energy device—think smart lightbulbs, appliances, health monitors, door locks, and more—will be able to connect to the web through your browser.
Web Bluetooth enables you to control your Bluetooth devices directly from your browser without the need for a special app. But it also also lets you give websites permission to connect to your IoT devices.
“It’s going to democratize development,” Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group, told the Daily Dot in a phone interview. “From a developer’s perspective,” he added, “it opens up a lot of different new scenarios.”
Hegenderfer says the flexibility provided by Web Bluetooth means IoT devices can more easily include social components, such as sharing fitness data with your friends regardless of which device you use.
Easier app development is only one part of why the tech world is buzzing with excitement about Web Bluetooth. The second part—allowing websites to connect with your IoT devices—may open virtually endless possibilities. Imagine Facebook being able to serve you different content in your News Feed based on the mood you’re in (communicated by your health monitor), or Gmail being able to turn your smart lightbulb a certain color when you get an email from a certain contact, or your drone flying in circles the moment you get a delivery email from Amazon—you know, go wild.
These are the types of applications developers are starting to imagine, and we can expect new Web Bluetooth features to really start pouring out as early as January.
Another thing we can expect? Privacy and security problems.
Limits of security
Lukasz Olejnik, a London-based privacy and security consultant and researcher at University College London, has a number of concerns with Web Bluetooth, particularly in light of the recent DDoS attack—which was at least partially carried out through a botnet controlled by IoT devices infected with the Mirai malware—that rendered many high-profile websites inaccessible for millions of users across the United States.
In a newly published blog post, Olejnik explains what he sees as the two key factors that make getting the privacy and security of Web Bluetooth right from the start a must: “Web Bluetooth API will deal with personally-identifiable information [and] Web Bluetooth API will be providing detailed information about user’s motion, position and movement.”
As such, Olejnik says, the technology needs improvement to help ensure users don’t fall prey because of their use of Web Bluetooth.
It’s all our fault
When Google announced that it would include Web Bluetooth functionality in its Chrome browser (you can try it out now if you have Chrome 45 or later and some technical know-how), developer François Beaufort explained the two main security steps already baked into the technology. First, Web Bluetooth only allows sites that use an encrypted HTTPS connection access to IoT devices. Second, users must give any site explicit permission to access those devices before they can do so.
Once an IoT device is connected to a website, they can communicate back and forth. And this is where things start to get a bit tricky. Olejnik says the fact that the Mirai botnet attack was possible because users who hooked up their IoT devices failed to change the default passwords (thus allowing hackers to access any connected device that used the same default password) is evidence of poor design by manufacturers who make it too easy for users to skip the basic security measures that do exist.
The issue here, really, comes down to how little the average person knows about cybersecurity and the capabilities of hackers to take advantage of their ignorance.
“Can we realistically assume that users in general will know the distinction between pairing a local smartphone/kettle/beacon with a local laptop, and pairing a smartphone/kettle/beacon/toothbrush with a remote site?” writes Olejnik. “I don’t think so. Don’t take me wrong. But most of the people don’t even get the true nature of cloud computing/storage.
“This is an invitation to unexpected surprises.”
So, that’s the first problem: user ignorance and device makers not putting the proper roadblocks in place to better ensure safe use of these powerful new tools we all have.
Internet of privacy violations
The second problem is, well, creepier. Websites may have access to multiple IoT devices from a single users. In this case, they may be able to grab all usage from these devices to derive inferences about people’s private lives—how often they make tea from the smart kettle, how much they exercise with their fitness tracker, or how often they lock their doors and when. Websites might also detect which types of IoT devices a user has and infer how rich or poor they are based on the price of their gizmo collection.
Bluetooth’s Hegenderfer says every IoT device is different, and the level of security and privacy settings may not need to be equal across all devices. A smart thermometer, for example, may not need the same level of protection as a smart pacemaker. “Every use case is different,” he says. “The temperature sensor is totally different from a government-grade headset.”
Olejnik says this kind of thinking “may slightly miss the point.”
“There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden,” he told the Daily Dot in an email. “With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers.”
But personal profile info isn’t the only type of data a website could collect on a Web Bluetooth user. “Using Web Bluetooth API, websites will be able to monitor users’ movements and location changes in real-time,” warns Olejnik.
The way websites can do this gets into the technical weeds a bit, but it basically boils down to the ability of sites to track the Bluetooth signal strength, which could then be used to track location—particularly if a person is using more than one portable IoT device. Olejnik says this problem could be avoided if developers turn off the data collection that makes this type of location tracking possible.
Finally, Olejnik is concerned that Web Bluetooth will serve as yet another avenue for hackers to take control of a wide swath of devices that can then be used to carry out cyberattacks.
“One side consequence is also that Web Bluetooth API will decrease the entry barrier for people with malicious intentions, who so happens aren’t very technically versed,” he writes. “Soon, everyone with a web browser will be able to potentially become an attacker targeting Internet of Things and Web of Things devices.”
Drawing a line in the digital sand
Hegenderfer emphasizes that Bluetooth technology already has many protections for users. “With Bluetooth you have a bunch of privacy and security stuff built in,” he says. Still, he argues, device manufacturers should each decide the appropriate level of security for their device.
Olejnik disagrees with this approach, particularly given the “Internet of Things suffers from inadequate security and privacy standards.”
“This has to change, and some countries [are] already consider[ing] standardizing IoT security and privacy,” he continues. “There is a need for good security and privacy designs, at the minimum level. I would draw the line high.”