The Internet of Things: Stop the things, I want to get off!

Last week was week four of Cybersecurity Awareness Month (CSAM) and the theme was Your Evolving Digital Life.

It’s an important theme because, in case you hadn’t noticed, your digital life is evolving, and fast.

The vast international network of computers we call the internet is gobbling up a lot of new things that didn’t used to be computers like fridges, baby monitors, TVs, kettles, cars, light bulbs, and power stations.

The resulting melange of smart stuff is called the Internet of Things (IoT) and it’s opening up a universe of new possibilities to everyone from consumers and corporations to hackers and criminals.

The Internet of Things Security Foundation‘s mission is to make the IoT secure. It has this to say about the IoT:

The resultant benefits of a connected society are significant, disruptive and transformational. Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.

You can say that again.

The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking in to it.

A 2014 study by HP found that seven out of the ten internet-enabled devices are vulnerable to some form of attack and the tested devices averaged 25 invitations to mayhem per gadget.

We get a an idea of what’s going wrong by turning to OWASP (the Open Web Application Security Project) and its list of the top ten IoT vulnerabilities, which reads:

  • Insecure Web Interface
  • Insufficient Authentication/Authorization
  • Insecure Network Services
  • Lack of Transport Encryption
  • Privacy Concerns
  • Insecure Cloud Interface
  • Insecure Mobile Interface
  • Insufficient Security Configurability
  • Insecure Software/Firmware
  • Poor Physical Security

What the list tells us is that under the hood the Internet of Things is still very much the Internet of Computers. Some might be embedded in fridges and thermostats but they’re still bundles of hardware, software, ports and interfaces.

There is nothing on this list of the top ten problems that somebody running a server sat inside a good old fashioned data centre (or Cloud) wouldn’t worry about and nothing a criminal who wants to grow their botnet wouldn’t show an interest in.

With so much experience of securing networked computers and services out there already, the IoT could have hit the ground running with security baked in.

The fact that so much of it appears not to is grounds for serious concern and my guess is that something else, something very familiar, is playing out there.

It seems to me that each major shift in computing that I can remember; from PCs and home networks to the web, WiFi and smartphones has happened along roughly similar lines.

It starts with a land grab where new features and being first to market matter more than anything else, particularly security, and that can leave users dangerously exposed.

That exposure may be obvious to security researchers from the get go but it doesn’t become obvious to the general public, or get seriously addressed, until we suddenly see lots of victims. If history repeats itself, then the IoT’s slammer worm or Heartbleed moment is sadly, still ahead of us.

It’s bad enough when it’s your laptop or phone that’s at risk but the potential consequences of losing control of your cameras, central heating system or car could be far worse.

What the IoT needs is vendors prepared to put security front and centre and consumers who won’t connect a device to the internet unless security is its number one feature. Right now it feels like we don’t have enough of either.

NCSAM is run by and its mantra is Stop. Think. Connect.

When it comes to Your Evolving Digital Life we’ll only get the IoT we want if we’re ready to leave it at Stop. Think.

Image of tangle of wires courtesy of