FEATURE |IoT
The Things Are Not Secure
The Internet of Things is still a wide-open space with little conformity from one thing to another and no clear standards for communication or security. From “denial of sleep” attacks that drain batteries
by preventing devices from sleeping to the ability for hackers to impersonate connected things, the simple processors and operating systems used by IoT devices open a whole new realm of security concerns.
These security concerns are neither trivial nor hypothetical. A distributed denial-of-service attack in October
used connected things, including baby monitors, cameras and home routers, to cause problems for companies including Twitter, Netflix and the New York Times. A group of researchers from the University of Michigan and Microsoft found multiple vulnerabilities in Samsung’s SmartThings platform. And — perhaps most concerning for districts with a legal mandate to protect student privacy — a Federal Trade Commission report found that these devices generate massive amounts of
such as the Amazon Echo, where they
are always on, always listening or always recording. How does a school deal with the evolving educational value of these systems and services, while ensuring privacy and security, particularly when the companies creating them put forth consumer-based privacy policies that don’t account for use in group settings such as a classroom?”
McKaveney acknowledges that those questions don’t have easy answers and “will need to be carefully navigated
by all,” pointing to organizations like CoSN, where he serves on the emerging technology committee, and the resources they provide to help administrators create new policies and procedures as technologies proliferate.
Preparing for Things
In some ways, a more secure Internet of Things will simply come with time as new standards and platforms emerge. But there are steps districts can take now to prepare for IoT before it arrives in full force, according to Reyer, who offers four tips for administrators looking ahead.
support all the protocols that will be necessary in the world of connected things. If I was in the market to update all my access points,” Reyer said, “one of the first things I’d be asking is, ‘Do you guys have any ability to update that access point or plug an expansion card into it that lets me see IoT protocols?’ Because I think that’s something I’m going to need to be able to do in the future.”
Finally, Reyer recommended teaching students and teachers about the importance of application privacy and “making sure everyone is asking the right questions about sites and application that they intend to use that monitor or collect data.”
Imagining IoT applications from tracking biometric feedback during exams to measuring air quality to determine
if recess should be inside or outside
to uncovering high anxiety across a classroom in an urban area because
of an event that needs to be addressed before learning can begin, Craven called the emerging technology “neat” and “fascinating” but pointed out that it’s
all dependent on what data parents are
The Internet of Things is still a wide-open space with little conformity from one
thing to another and no clear standards for communication or security .... the simple processors and operating systems open a whole new realm of security concerns.
data, with 10,000 households capable of generating 150 million data points every single day.
Even devices as simple as healthcare monitors, such as Fitbits, bring up all kinds of data and privacy concerns, according
to Ed McKaveney, technology director at Hampton Township School District (PA).
“Should the parents be able to remotely monitor their child, does this get sent
and shared with the school nurse, how
is this data stored?” McKaveney asked. “Alternatively, consider how body cameras, smart glasses or cloud-based artificial intelligence services are being tied to devices from Apple, Google and others,
First, Reyer recommended moving
to IPV6, which assigns a public address to every single device on the network. Reyer stressed that this doesn’t need
to happen in the immediate future but that administrators can make sure their internal environment, from the operating systems on machines to the firewall to the internet service provider, can support it.
Second, Reyer suggested a next- generation firewall, capable of ensuring that traffic over the network is secure and legitimate, even if it’s coming from a connected thing.
Third, Reyer said administrators need to make sure their internal access points
comfortable allowing districts access to. “Showing a good security posture
now will instill some confidence in the community and families to be willing
to at least try some of these things,” Craven said, “whereas if your data’s being constantly leaked out, then you’ll erode that trust with the families.”
Joshua Bolkan is a contributing editor for THE Journal based in Portland, OR.
20
| MARCH 2017