The imminent IoT revolution doesn’t scare you enough
Earlier this month, Brendyn Lotz opined that the Internet Of Things, while intimidating, should be embraced as it boasts the potential to help millions of people. It turns out, though that not everyone at htxt feels that way…
The Internet of Things (IoT) is a terrible idea. The worst. In fact, it’s so bad I am continually horrified that business and industry appears hell-bent on going forward with it despite its many, many pitfalls.
The reasons IoT terrifies me is not the idea itself – which is potentially life-changing in a good way – but the way in which it will likely be implemented. Allow me to elaborate.
The heart of it
At the heart of IoT is the idea that we will use IPv6 (which enables billions of IP addresses) and the advances of modern manufacturing and electronics to embed networkable sensors into absolutely everything. These will allow us to better monitor and maintain systems of all sorts, and embed intelligence where today there is none, which will generate data points that can be used to create better, well, everything.
Think “Detecting potential failures in steel and concrete buildings and objects before they fail catastrophically”, “Cars that can park themselves”, “Smart wearable devices”, “Revolutionary medical treatments and early warning systems”, “Household appliances that can talk to one another”. All of these, and more, are happening today thanks to IoT.
You could be forgiven, then, for thinking that it’s a pretty exciting idea. And to a certain extent, you’re right – on the surface, IoT is pretty neat…
There’s always a but
…but it requires a perfect world to work as intended, and we do not live in one. Our world is full of imperfect computer systems, imperfect IT people, and imperfect users, not to mention a legion of cyberattackers who’re all too eager to exploit those realities for their own gain. You can have the best “Security Best Practices” that security experts can come up with in place, and a 99.9% compliance rate with those best practices, but that 0.1% is enough to allow any given system to be compromised.
It’s like having a plot of land that’s 150 square metres big with fence around 149m of its boundaries. Great, you have a fence, but it’s essentially pointless because of that 1m gap that will allow anyone in.
That’s a very basic analogy, and it has its flaws, I know; I’m just trying to illustrate a point. But bear with me here; the actual nitty-gritty is far scarier.
Massive collaboration required
Getting the Internet of Things off the ground requires a massive collaboration between a huge number of different groups, organisations, businesses and manufacturers. And ultimately, the IoT will be made up of billions, perhaps trillions of different physical devices, require incredibly complicated programming, and rely on network devices from a wide range of companies.
Each company has its own design philosophies, manufacturing methodologies, programming competencies and approach to securing their devices. And the majority of companies nail each of these different elements and get them right to the best of their abilities, and that’s great.
But not every company making IoT devices is like this. Some just want to make a quick buck, and will cut corners to do it. Those cut corners could include using cheap electronics from fly-by-night vendors for their products’ insides. That means poorly-coded firmware and software that’s vulnerable to hackers.
The worst part of all of this is that even if companies making IoT devices get everything right, they still send them to market with default usernames and passwords and no mechanism to force users to change them in place. That means millions upon millions of devices out there that are live and connected to the internet, and vulnerable to the simplest of attacks.
And malware likes to make use of this information. The Mirai malware, for example, seeks out and corrupts IoT devices that are secured with just a default username and password, adding them to an ever-growing number of “zombie” devices, also known as a botnet army. This army of zombie devices can then be directed to send junk traffic to any target of the malware’s owner’s choosing.
Just last year, a Chinese manufacturer of Wi-Fi-equipped CCTV cameras and digital video recorders, XiongMai Technologies, unwittingly played a part in a major Distributed Denial of Service attack. Thanks to terrible device security, many of the company’s cameras and DVRs were taken over by Mirai, and used to send junk traffic to DNS provider Dyn in the US, eventually overloading its servers and causing widespread disruption to major internet platforms and services.
The problem of unsecured IoT devices is getting so bad, that a so-called good guy hacker decided to write malware that seeks out unsecure IoT devices and bricks them if it can’t force them to change their default usernames and passwords.
And this is just one example of what is already going wrong with existing IoT devices, and these devices are relatively simple.
Going even further
But the vision for the Internet of Things goes even further than just putting internet-connected computers into video cameras and recorders. It’s about putting sensors into everything, even things like concrete and steel, so that human activities can generate even more data than they currently do, to be analysed by massive datacentres in order for companies and governments to come up with newer, better ways of doing things.
And again, this sounds pretty damn fantastic. The data generated can be used to detect materials failure before it happens in bridges and buildings, monitor road conditions, sensor-fy cities in order to manage everything from sewage to traffic better, gather useful data in factories to help owners figure out what areas need attention, and many more awesome-sounding things.
And to an extent, this is pretty damn awesome… but only if executed properly, and in a perfect world where hackers – and the motivation to hack – don’t exist. And that ain’t a happening thing.
The many what ifs
The question on my mind is this: what happens to all the data generated by these internet-connected sensors? What if it’s applied improperly by law enforcement agencies? What happens to privacy? What if it falls into a criminal’s hands and they suddenly have access to all sorts of pertinent private data about you, your home, your business, your factories? What if it’s as easy to compromise the systems guarding that data as it is to turn unsecured CCTV cameras into a botnet army? What if an unsecured IoT device is a gateway into an otherwise well-guarded system?
My problem with the Internet of Things, is that I think it’ll open the door to even more cyberattacks like these, because IT security is imperfect today, and it’ll likely remain so tomorrow. It’ll do little more than give hackers even more ways of gaining access to sensitive systems, and malware more ways to take over legitimate devices and put them up to no good.
To use a term from all the cybersecurity summits I’ve attended, I think IoT will “widen the attack surface” and give the good guys more to protect. And since they’re not doing an amazing job of protecting the comparatively little that’s there already, I have no hope for the future being any better. If anything, it’ll be even worse than it is today, and that’s saying something.
Should it be stopped?
Do I think IoT development should stop, then? Well, no, I don’t, the promise IoT holds is too good to ignore. What I think needs to happen, though, is IoT standards need to be established (which is happening, admittedly), and then ruthlessly enforced.
That last part’s the important bit, and any companies that produce sub-standard IoT devices that fail to adhere to those standards need be punished, and mechanisms put in place to ensure that all future products from those companies are painstakingly vetted, so that the problem doesn’t grow.
Is that going to happen? Probably not, given market demands (making the most of the IoT opportunity), the nature of capitalism (making things as cheaply as possible to maximise profits), and the cost of product development (lots, thus little desire to recall or correct flawed ones).
Yes, I’m being negative here and focusing on the worst that could happen. But it’s not like my concerns are unfounded, given the imperfect world we live in that’s long on idealism, and short on the practical execution required to support it.