Security experts liken the Internet
of Things (IOT) to a rudderless ship, and the ensuing lack of direction makes
them nervous. Three SMEs shared suggestions on how to avoid issues that plagued
past disruptive technologies. Those participating in this panel are:
Roger G. Johnston is the
head of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. Johnston has this amazing passion of wanting to know how things work. For example,
in this video he
showed how easy it is to hack certain kinds of voting machines. So, Johnston gets
the “things” part, which is key to our discussion.
Joe Klein is the Cyber
Security Solutions Architect at SRA International. Klein is the go-to guy for
anything related to IPv6, which is important when it comes to the IOT. Without
IPv6, the IOT would not be possible.
Jacob Williams is
the Chief Scientist at CSRgroup. As a digital forensic scientist, Williams especially
likes it when someone says their company’s network is impenetrable. Williams’ expertise comes into play when discussing the increased interconnectedness
required by the IOT.
Define the IOT
To have a meaningful dialogue and
prevent misunderstanding, the IOT needs to be defined. Of all the definitions
circulating on the Internet, the following one happened to find the most
agreement among the experts (courtesy of SAP AG):
“A world where physical objects are
seamlessly integrated into the information network, and where physical objects
can become active participants in business processes. Services are available to
interact with these ‘smart objects’ over the Internet, query, and change their
state and any information associated with them.”
For those curious as to who coined
the term “Internet of Things,” most people attribute the moniker to Kevin Ashton, who mentioned in this blog post, “I
could be wrong, but I’m fairly sure the phrase “IOT” started life as the title
of a presentation I made at Proctor & Gamble in 1999.”
And now, for the roundtable panel:
agrees that the IOT (IoT) is or will be the next disruptive technology. With
regards to your field of expertise, what will be the most positive outcome of
Johnston: I think
the IoT will be disruptive because companies making almost anything: toasters,
running shoes, garage doors, backpacks, air conditioners, etc. will need to
install electronics, microprocessors, and software in their products or they
will go out of business. People who can program a microprocessor, and do
wireless sensors will become more important than people who can program a
Klein: As a
technologist, I am fascinated by the capabilities being built into devices that
will make my life easier and better than I had previously thought. I have a
90-minute commute twice a day, and I would love to spend it doing anything
other than driving, so hurry up Google.
Another IoT device I’m interested in
is the programmable LED light. I would program the light to emit bluish-white
light in the morning to wake up, and a warm yellowish tint at night to remove
the day’s stress.
Williams: For me,
the most positive disruption brought on by IoT will be efficient
transportation. Self-driving cars (such as those built by DARPA and Google) are
one thing. Imagine what’s possible when all cars on the road are communicating
with one another; safer trips for one thing, and less stress by automatically
routing cars around congested areas.
makes you the most nervous about IoT?
Johnston: Clearly, security.
For example, the peeping-tom issue associated with Trendnet home video cameras. It’s a
safe bet there will be more of the same. We’re going to have all these hardware
engineers developing electronics with no understanding of physical or cyber
security—lots of risk for sabotage, loss of sensitive personal information, and
as the camera debacle proved loss of privacy.
Another potential nightmare is
safety. Remote or robotic control of toasters, propane grills, and other things
are going to cause problems and serious legal liabilities.
Klein: There are two
disparate yet related problems with the way the IoT is being conceived. First,
there is a huge disconnect related to security and privacy between the
engineers who are making the things, and the engineers who have to connect the
things to the Internet. I find that troubling.
Next is the business model being
formulated for IoT devices. I will use Windows XP as an example. Microsoft is
obsoleting XP, and upgrading the operating system software on an existing
computer is usually not an option. You have to buy new hardware. Potentially,
all devices belonging to the IoT will have the same issue. An IoT car in
perfect mechanical condition becomes unusable because it is an older model, and
a software patch will not load.
Williams: Two words:
security and privacy. Security has to be engineered early in the development of
Internet-connected devices. We’ve seen too many times that “bolt-on”
security after the fact doesn’t work. Look at our network-connected medical
devices. Many of these have never undergone a serious security evaluation.
Privacy is an issue as well—for my transit example to work, traffic routers
must track the starting location, route, and destination of every vehicle on
the road. Scary implications for privacy if the data isn’t properly protected.
TechRepublic: IoT being a disruptive technology means it is going to have a huge
impact on our lives. What can we do differently than in the past to reduce the chance of having to live with unforeseen negative results: for example, experts wishing now they had incorporated security measures in the original network technology driving the Internet?
Johnston: We never
foresee adequately. It is like the old saying: if you went back to 1870 and
asked a farmer what he would like, he would say a bigger, stronger horse that
ate less. He wouldn’t request a tractor. Who could have foreseen that the Internet
would lead to Twitter and Craig’s List? The things I would ask for is to have
minimum requirements for security, demand independent vulnerability
assessments, legislate some legal/economic liability for security flaws, and
use a separate network for IoT devices instead of using the Internet entirely.
Klein: I am not sure
how we will avoid the problems I see coming. On a positive note, the federal
government is starting to push for regulations and laws to secure critical
infrastructure. President Obama just released a statement to that effect
design security in from the beginning—and do not take the developer’s word that
it was implemented. Independent testing is the only way to go. Developers think
about how to build things to spec, vulnerability researchers think about how to
break things. We tend to focus on things developers do not think about. I’ve
tested countless systems where the design documents called for encryption, but
a developer forgot to implement it. The auditors were convinced everything was
fine; only independent testing uncovered the flawed implementation.
The bottom line
The overall idea expressed by the panel was that
the IOT has the potential to make all of our lives significantly better, even
smart refrigerators. But the IOT also has the potential to make our lives
more than miserable if we are not careful.
One thing panel members alluded to
that I hadn’t considered was the possibility of planned obsolescence due to
software rather than hardware issues. My car is 16 years old. I’m not sure I’d
appreciate replacing a vehicle every few years due to software or security
glitches that can’t be patched because the wheel size is wrong.
What do you think? Share your thoughts in the comments below.