Connecting IoT Devices via Bluetooth Hampers Security

This post is also available in: עברית (Hebrew)

The international standards body for the internet is now finalising specification to enable all smart devices to connect directly with websites via Bluetooth, but given the recent concerns about securing the Internet of Things, and the latest attacks, one wonders if this is a good idea.

The Web Bluetooth API specification being developed by the World Wide Web Consortium (W3C) is meant to be the one of the core components of the Web of Things, which is essentially the application layer of the Internet of Things.

The Internet of Things connects smart devices to the internet so that they can monitor data about weather conditions on an oil rig, the peak times for cars parking in the city or the temperature in your home, and send that data to the cloud. In contrast, the Web of Things will enable a web browser to contact any of your connected devices directly – everything from your smart toasters, kettles, fridges and security cameras to your smart heart rate monitors, smart TVs and your mobile phones.

MSN News cites Lukasz Olejnik, a cybersecurity and privacy researcher, and an invited expert with W3C. He expresses his conern that the Web Bluetooth API will be dealing with both personally identifiable information and providing information about a user’s position, motions and movements. “Access to Web Bluetooth API will be subject to permissions and it will only work in secure contexts”. Olejnik warns that if you grant a website access to your smart kettle, aptly named “John Smith’s Kettle”, for example, and then later grant another website access to the same device, information could be leaked if the device has the same unique name.

“Pairing a user’s computer with a user’s device happens locally. We can say that identifiers or unique names stay close to the user. However, pairing user’s device with a remote web site is something qualitatively different,” he explains.

Olejnik goes on to say that websites could potentially request that the device hand over all sorts of information, and even learn about the user’s financial assets.

Moreover, the Web Bluetooth API’s code enables websites to monitor a user’s movements and location changes in real time just by requesting information on the smart device’s signal strength.

So if you put a man in a living room surrounded by a smart TV, a smart thermometer on the wall, a smartphone on the coffee table and a router in the corner, and you read the strength of the signals from each device, and look at the relationship between the distance and signal strength, then you can basically figure out exactly where the person is, according to MSN News.

“Web Bluetooth API will decrease the entry barrier for people with malicious intentions, who aren’t very technically versed.”