We’re all going to hell in an IP-enabled handbasket.
The bland-looking control panel depicted above is the heart of a smart home – automated up the wazoo, so your fingers can play master of the universe with the lighting, audio system, appliances, heating and cooling, sprinklers, pool, spa, garage door – and your alleged security system.
Alleged because smart homes, cars and all the other items you’ll be connecting to the public Internet will offer unprecedented opportunites for hackers to infiltrate your life. Most personal devices like computers are already insecure enough. But so-called “smart” devices will be far more difficult for consumers to organize, update and secure than the familiar devices we can see and hold. (If you think any object in our lives will be spared, check out the automated cat feeder adjacent, courtesy Wikipedia.)
The vista ahead, often called the Internet of Things, has prompted cryptographer Bruce Schneier to write a lot recently about the new world of security problems we’ll face:
“With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
Hackers will no longer be pilfering mere data, like passwords and identities. They’ll be remotely unlocking the front door the better to burgle the home. Alternatively, they’ll be locking your front door so you can’t open it without doing the hacker’s bidding – like ransomware only potentially worse. And hacking the brakes of cars remotely, among other horrors (see Schneier’s When Hacking Could Enable Murder).
In 2014 I wrote a post on what the Internet of Things means for our online future: The Internet in 2025: the Internet/Cloud of Things. I don’t think very much has changed since then, except that the industry guys who liked the financial prospects of the IoT then like the prospects even more now:
“Unfortunately, the IofT will eventually create a perfect storm from three elements: ubiquitous networking platforms; the huge proliferation of addressable things made possible by IPv6; and the out-of-sight-out-of-mind nature of many of the ‘things’ in question. Consumers of digital technology have never been well served by their own ignorance of how things work, where risks lie and what EULAs say about vendor privileges. Embedded technologies take the problems of consumer protection to a whole new level, given the dramatically increased opportunities they create for surveillance and commercial data collection.”
All that so the fridge will remind you when to get milk?
A 3rd and final Pew/Elon question
Following on my previous two posts about the Pew/Elon survey, here are the questions posed on the rampant connectedness brought about by the IoT:
“As billions more everyday objects are connected in the Internet of Things they are sending and receiving data that enhances local, national and global systems as well as individuals’ lives. But such connectedness also creates exploitable vulnerabilities.
“As automobiles, medical devices, smart TVs, manufacturing equipment and other tools and infrastructure are networked, is it likely that attacks, hacks, or ransomware concerns in the next decade will cause significant numbers of people to decide to disconnect, or will the trend towards greater connectivity of objects and people continue unabated?”
The usual opposing answer options, along with a few more questions:
- Significant numbers will disconnect
- Most people will move more deeply into connected life
What is the most likely kind of physical or human damage that will occur when things are networked? How might governments and technologists respond to make things more secure and safe? Is it possible to network physical objects in such a way that they will generally remain safe for the vast majority most of the time?
My headline: very few consumers will be put off by the IoT risks, and will keep hyper-connecting at every opportunity, despite the many misfortunes to come.
[From my July survey response]
The trend towards greater connectivity will continue unabated, even as hacking and other forms of attack on networks keep rising. A couple of factors point in this direction. First, IT vendors and service providers of all kinds aren’t going to pass up the golden opportunities thrown at them by the Internet of Things. While a few smart devices like Google Glass and Apple Watch have popped up in the residential market, vendors have barely begun to explore the prospects for full-blown home connectivity. Once IPv6 comes into widespread use, innovators will be free to persuade consumers that their convenience, welfare and happiness depend on ever-greater levels of connectivity. And in doing so, they will package their wares with the usual assurances to customers that it’s all as easy as pie. Consumers have been coached to hate the effort required to keep themselves safe online, and have very little motivation to understand the kinds of risks they face. In other words, things are going to get much worse for security before they get any better.
Second, what’s good for the vendor-goose is good for the hacker-gander. Up until perhaps a decade ago, we lived in more innocent times, when hackers were typically motivated by the desire to blow things up (in your computer) or show the community they could wriggle past the defences of even the best-equipped Internet venues. Back then we had viruses, which at least had the virtue of letting you know when your hard drive was toast. Today we have social engineering and surreptitious code whose inherent purpose is to evade detection, the better to steal your passwords, money or identity. That change signals a shift from mischief-making to earning a living by theft on a grand scale. The more opportunities that are created for selling hyperconnectivity, the more opportunities that will be created for hackers, who will find pots of gold in ever-increasing quantities as a reward for pursuing their line of business.
It’s hard to see how solutions based purely on technology can stem this tide, especially since there’s no end-game. We’ll never see a day when either the hackers or the cryptographers write the definitive solution to beating the other camp, or just decide to give up. Governments can undertake two actions, one directed at business, the other at consumers. First, businesses over a certain size need to face much harsher sanctions for allowing lax security to compromise their employees and customers. Second, national regulators like the FCC and FTC in the US, and the CRTC in Canada, should be directing major efforts to consumer protection and consciousness-raising in ways that recognize the limited mainstream appetite for learning anything about digital risks. It’s a daunting job, but we have to start somewhere.