The internet of everything - bringing more risk to more places

Filed Under: Data loss, Featured, Privacy, Security threats

The Internet of Things (IoT) is a ubiquitous buzz-phrase these days.

The idea that just about everything we make or use could eventually be connected, allowing anything to be remotely controlled or monitored, inspires excitement and trepidation in equal measure.

The applications of a completely connected world are immense, letting us control all aspects of our lives and our environments from anywhere.

The dangers are similarly epic.

We're not only at risk of attackers snooping on the data passing between us and the devices to which we want to connect (data which often passes through some kind of cloud-based "service broker" along the way), but also at risk of attackers taking over those data channels and hijacking the devices themselves.

Google's acquisition of home-thermostat system Nest reflects the growing acceptance of IoT. Various players have estimated just how many of items could be connected in the near future, with numbers ranging from 26 billion to 30 billion or even 50 billion by 2020.

To reach these kinds of numbers we may finally have to make the transition to IPv6, as available IPv4 addresses run ever shorter.

For the most part we associate the idea with smaller things, mainly household items. Lightbulbs, light fittings, TVs, even toilets, have all sparked security fears already.

But for the most part these worries focus on the small scale.

We want the developers of these new gizmos (really just new versions of existing gizmos) to think about security and privacy issues when they design them. We fret about the security of the connections they make to us and to each other. But we rarely consider them as part of a larger system.

No part of the IoT stands alone.

An internet-ready coffee machine is just a coffee machine if it's not connected to the internet.

Without that link to the world, the threat of data leakage or loss of control to a third party does not exist.

We need to consider these newly-connected devices as part of the internet as a whole. And we need to think about the internet as part of the world as a whole, rather than merely as a conduit through which we pass commands and information.

And then we need to think about security for the whole system.

In the last few weeks we've seen a rash of scary stories looking at this bigger picture. We already knew about the risks to our power grids, financial services and water suppliers.

Now, it seems, there are risks of compromise in military satellites and the systems which control them. Airplanes and air traffic control systems are also a target for bad actors, as are the shipping networks we use to move vast quantities of things around our planet, many of those things all set to connect to the internet when they reach their final destination.

It's these big things we need to consider when devising new security paradigms for an all-connected future.

Sure, the entertainment system in front of your airplane seat is a thing in itself, and when the day comes when it merges with the internet of everything else, we'll need to think about issues in that small part.

We also need to consider the airplane itself, made up of many such small things, and the global air transport network, made up of multiple aircraft and ground vehicles, traffic systems, airport logistics, food and beverage suppliers, flight booking systems, payment systems and much much more besides.

And all of these connected to each other and through the internet to everything else, and composed of many, many smaller parts, each with their own complex patterns of interconnections.

The danger is, when we look at this kind of scale and complexity, we home in on sections and components rather than the thing as a whole.

That's why fundamental problems like the Heartbleed bug become so massive.

We spend so much time sweating the small things, but leave basic parts of the infrastructure we rely on to provide security in the hands of a small, underfunded group of volunteers.

We can't go on like this.

We need to make security and privacy front-line considerations not only when designing a new device or thinking about connecting it to a larger system, but when we design and build the system itself and every component part of it.

This won't be easy, particularly when trying to join up aged legacy systems.

We may need to start from scratch in some areas.

But if we're going to avoid future disasters on the scale which Heartbleed has the potential to present, it's something we have to do.


Image of cartoon cloud courtesy of Shutterstock.

Images of icons of things courtesy of Shutterstock.

Image of smart home components courtesy of Shutterstock.

, , , ,

You might like

2 Responses to The internet of everything - bringing more risk to more places

  1. Thomas · 179 days ago

    I've been concerned about these same issues ever since I heard the phrase "Internet of Things". Thanks for the great article.

    *Sent from the sump pump in my neighbors garage*

  2. I have got an elderly relative who has to wear iPads; I now notice that people can send emails from iPads - scary!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.