Welcome to the SecAware blog

I spy with my beady eye ...

7 Dec 2017

NBlog December 7 - Santa's slaves bearing gifts

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.

I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!

So what are the information risks in that scenario? Let's run through a conventional risk analysis.


  • Elves meddling with the light show, causing frustration and puzzlement.
  • Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.
  • Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.
  • Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).


  • Irresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.
  • Inherently insecure Things (probably ... with probability levels approaching one). 
  • Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!
  • Does anyone bother security-testing them, or laying down rules about bringing them into the home or the corporation?
  • Ineffective compliance enforcement of safety and security standards for low value high volume retail stuff flooding the markets.
  • Widespread dependence on "the authorities" to protect "us" from "them".  A naive and potentially reckless abdication of our own responsibility.


    • Theft of valuable and confidential information.
    • Disruption or loss of valuable data, networks and devices.
    • [Further] loss of control over network access points, leading to exploitation of other connected systems and data.
    • Fire from badly engineered and manufactured knock-em-out-and-pile-em-high cut-price electronics connected to the mains power and dangled among increasingly flammable dead pine trees.
    • Distractedly driving into the back of stationary traffic while trying to re-program the light show on your way home from the office, at the insistence of a back-seat-load ("a pester" is the collective noun) of over-excited kids on a massive sugar high. A rather more dramatic form of impact, that!
    Taking that all into account, there are definitely information risks in the scenario, but as to whether you consider them significant enough to worry about depends on your perspective. 

    OK so I admit I'm going out on a limb by analyzing information risks for web-enabled Christmas tree lights but the risk analysis is much the same for a zillion other Things quietly invading our homes and businesses. It's the zombie apocalypse.

    Aside from all those high-tech toys soon to be piled up under the Christmas tree, the modern hi-tech kitchen and lounge is already replete with Web-enabled whiteware and entertainment systems, and almost everything that moves or goes ping in the office (including the workers!) is wirelessly networked.

    Remember, kids, information security is for life - not just for Christmas.

    ["Santa's slaves" alludes to a friend-of-a-friend's little'un asking its mum for 'one of those Christmas slaves this year - you know, the slave that Santa rides', while jangling his slave-bells, presumably.]

    No comments:

    Post a Comment