The Internet of Things is upon us. A panel of security experts offers their insight into what they feel is right, and what they consider wrong with the newest technology.
Security experts liken the Internet of Things (IOT) to a rudderless ship, and the ensuing lack of direction makes them nervous. Three SMEs shared suggestions on how to avoid issues that plagued past disruptive technologies. Those participating in this panel are:
Roger G. Johnston is the head of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. Johnston has this amazing passion of wanting to know how things work. For example, in this video he showed how easy it is to hack certain kinds of voting machines. So, Johnston gets the “things” part, which is key to our discussion.
Joe Klein is the Cyber Security Solutions Architect at SRA International. Klein is the go-to guy for anything related to IPv6, which is important when it comes to the IOT. Without IPv6, the IOT would not be possible.
Jacob Williams is the Chief Scientist at CSRgroup. As a digital forensic scientist, Williams especially likes it when someone says their company’s network is impenetrable. Williams’ expertise comes into play when discussing the increased interconnectedness required by the IOT.
Define the IOT
To have a meaningful dialogue and prevent misunderstanding, the IOT needs to be defined. Of all the definitions circulating on the Internet, the following one happened to find the most agreement among the experts (courtesy of SAP AG):
“A world where physical objects are seamlessly integrated into the information network, and where physical objects can become active participants in business processes. Services are available to interact with these ‘smart objects’ over the Internet, query, and change their state and any information associated with them.”
For those curious as to who coined the term “Internet of Things,” most people attribute the moniker to Kevin Ashton, who mentioned in this blog post, “I could be wrong, but I’m fairly sure the phrase “IOT” started life as the title of a presentation I made at Proctor & Gamble in 1999.”
And now, for the roundtable panel:
TechRepublic: Everyone agrees that the IOT (IoT) is or will be the next disruptive technology. With regards to your field of expertise, what will be the most positive outcome of the IOT?
Johnston: I think the IoT will be disruptive because companies making almost anything: toasters, running shoes, garage doors, backpacks, air conditioners, etc. will need to install electronics, microprocessors, and software in their products or they will go out of business. People who can program a microprocessor, and do wireless sensors will become more important than people who can program a computer.
Klein: As a technologist, I am fascinated by the capabilities being built into devices that will make my life easier and better than I had previously thought. I have a 90-minute commute twice a day, and I would love to spend it doing anything other than driving, so hurry up Google.
Another IoT device I’m interested in is the programmable LED light. I would program the light to emit bluish-white light in the morning to wake up, and a warm yellowish tint at night to remove the day’s stress.
Williams: For me, the most positive disruption brought on by IoT will be efficient transportation. Self-driving cars (such as those built by DARPA and Google) are one thing. Imagine what’s possible when all cars on the road are communicating with one another; safer trips for one thing, and less stress by automatically routing cars around congested areas.
TechRepublic: What makes you the most nervous about IoT?
Johnston: Clearly, security. For example, the peeping-tom issue associated with Trendnet home video cameras. It’s a safe bet there will be more of the same. We’re going to have all these hardware engineers developing electronics with no understanding of physical or cyber security—lots of risk for sabotage, loss of sensitive personal information, and as the camera debacle proved loss of privacy.
Another potential nightmare is safety. Remote or robotic control of toasters, propane grills, and other things are going to cause problems and serious legal liabilities.
Klein: There are two disparate yet related problems with the way the IoT is being conceived. First, there is a huge disconnect related to security and privacy between the engineers who are making the things, and the engineers who have to connect the things to the Internet. I find that troubling.
Next is the business model being formulated for IoT devices. I will use Windows XP as an example. Microsoft is obsoleting XP, and upgrading the operating system software on an existing computer is usually not an option. You have to buy new hardware. Potentially, all devices belonging to the IoT will have the same issue. An IoT car in perfect mechanical condition becomes unusable because it is an older model, and a software patch will not load.
Williams: Two words: security and privacy. Security has to be engineered early in the development of Internet-connected devices. We’ve seen too many times that “bolt-on” security after the fact doesn’t work. Look at our network-connected medical devices. Many of these have never undergone a serious security evaluation. Privacy is an issue as well—for my transit example to work, traffic routers must track the starting location, route, and destination of every vehicle on the road. Scary implications for privacy if the data isn’t properly protected.
TechRepublic: IoT being a disruptive technology means it is going to have a huge impact on our lives. What can we do differently than in the past to reduce the chance of having to live with unforeseen negative results: for example, experts wishing now they had incorporated security measures in the original network technology driving the Internet?
Johnston: We never foresee adequately. It is like the old saying: if you went back to 1870 and asked a farmer what he would like, he would say a bigger, stronger horse that ate less. He wouldn’t request a tractor. Who could have foreseen that the Internet would lead to Twitter and Craig’s List? The things I would ask for is to have minimum requirements for security, demand independent vulnerability assessments, legislate some legal/economic liability for security flaws, and use a separate network for IoT devices instead of using the Internet entirely.
Klein: I am not sure how we will avoid the problems I see coming. On a positive note, the federal government is starting to push for regulations and laws to secure critical infrastructure. President Obama just released a statement to that effect this week.
Williams: Again, design security in from the beginning—and do not take the developer’s word that it was implemented. Independent testing is the only way to go. Developers think about how to build things to spec, vulnerability researchers think about how to break things. We tend to focus on things developers do not think about. I’ve tested countless systems where the design documents called for encryption, but a developer forgot to implement it. The auditors were convinced everything was fine; only independent testing uncovered the flawed implementation.
The bottom line
The overall idea expressed by the panel was that the IOT has the potential to make all of our lives significantly better, even smart refrigerators. But the IOT also has the potential to make our lives more than miserable if we are not careful.
One thing panel members alluded to that I hadn’t considered was the possibility of planned obsolescence due to software rather than hardware issues. My car is 16 years old. I’m not sure I’d appreciate replacing a vehicle every few years due to software or security glitches that can’t be patched because the wheel size is wrong.