The Internet of Things (IoT) is a ubiquitous buzz-phrase these days.
The idea that just about everything we make or use could eventually be connected, allowing anything to be remotely controlled or monitored, inspires excitement and trepidation in equal measure.
The applications of a completely connected world are immense, letting us control all aspects of our lives and our environments from anywhere.
The dangers are similarly epic.
We’re not only at risk of attackers snooping on the data passing between us and the devices to which we want to connect (data which often passes through some kind of cloud-based “service broker” along the way), but also at risk of attackers taking over those data channels and hijacking the devices themselves.
Google’s acquisition of home-thermostat system Nest reflects the growing acceptance of IoT. Various players have estimated just how many of items could be connected in the near future, with numbers ranging from 26 billion to 30 billion or even 50 billion by 2020.
To reach these kinds of numbers we may finally have to make the transition to IPv6, as available IPv4 addresses run ever shorter.
But for the most part these worries focus on the small scale.
We want the developers of these new gizmos (really just new versions of existing gizmos) to think about security and privacy issues when they design them. We fret about the security of the connections they make to us and to each other. But we rarely consider them as part of a larger system.
No part of the IoT stands alone.
An internet-ready coffee machine is just a coffee machine if it’s not connected to the internet.
Without that link to the world, the threat of data leakage or loss of control to a third party does not exist.
We need to consider these newly-connected devices as part of the internet as a whole. And we need to think about the internet as part of the world as a whole, rather than merely as a conduit through which we pass commands and information.
And then we need to think about security for the whole system.
Now, it seems, there are risks of compromise in military satellites and the systems which control them. Airplanes and air traffic control systems are also a target for bad actors, as are the shipping networks we use to move vast quantities of things around our planet, many of those things all set to connect to the internet when they reach their final destination.
It’s these big things we need to consider when devising new security paradigms for an all-connected future.
Sure, the entertainment system in front of your airplane seat is a thing in itself, and when the day comes when it merges with the internet of everything else, we’ll need to think about issues in that small part.
We also need to consider the airplane itself, made up of many such small things, and the global air transport network, made up of multiple aircraft and ground vehicles, traffic systems, airport logistics, food and beverage suppliers, flight booking systems, payment systems and much much more besides.
And all of these connected to each other and through the internet to everything else, and composed of many, many smaller parts, each with their own complex patterns of interconnections.
The danger is, when we look at this kind of scale and complexity, we home in on sections and components rather than the thing as a whole.
That’s why fundamental problems like the Heartbleed bug become so massive.
We spend so much time sweating the small things, but leave basic parts of the infrastructure we rely on to provide security in the hands of a small, underfunded group of volunteers.
We can’t go on like this.
We need to make security and privacy front-line considerations not only when designing a new device or thinking about connecting it to a larger system, but when we design and build the system itself and every component part of it.
This won’t be easy, particularly when trying to join up aged legacy systems.
We may need to start from scratch in some areas.
But if we’re going to avoid future disasters on the scale which Heartbleed has the potential to present, it’s something we have to do.