The Internet of Things—totally awesome or a security nightmare?

Recently, I’ve been thinking a lot about the Internet of Things, y’know, that rapidly approaching scenario that sees more and more everyday objects get Internet connectivity.

Half of me is really excited, as this is a real glimpse into the future. Heck, the IoT can already help people do a lot of things, such as monitor their health, manage their home or reduce their environmental impact—and that’s just for starters. Who knows what’ll be possible in twenty years time, or fifty.

But (and there’s always a but, isn’t there?), the skeptical half of me is wondering if we have really thought this through. As more devices communicate with each other and, more importantly, affect each other’s behavior, don’t we risk a nightmare scenario in which villains and terrorists can hijack our technology? A scenario in which hackers can target anything from fridges and factories, to traffic lights and water treatment plants.

This seems to be exactly the opinion of computer security specialist Bruce Schneier. In a recent interview (which makes makes troubling, but interesting reading), Schneier states:

There’s nothing you can do. This is very much like the computer field in the ‘90s. No one’s paying any attention to security, no one’s doing updates, no one knows anything - it’s all really, really bad and it’s going to come crashing down.

Which is not exactly confidence inspiring …

Personally, I’m torn in two—I don’t know whether to embrace it with both arms or run a mile.

But what do you think? Is the Internet of Things ten kinds of awesome (and if so, what are you using it for), or is it our first glimpse of an imminent dystopian nightmare?

P.S. In case you missed it the first time round, it’s good for some humor, too. Allow me to introduce the Internet of Useless Things.

This editorial will appear in this week’s issue of the SitePoint Newsletter.

3 Likes

Nice write-up! I have the same concerns. It doesn’t make sense to me to have essential services, in particular, hooked up to such a vulnerable network. (I seem to remember these essential services worked perfectly well before the Internet appeared.)

Alongside the hazards of villains are also natural and economic hazards. What happens when power supplies get shut off? The Internet is a dead duck when that happens. And what if an economic decline, or a war or whatever, affects the ability to keep these services connected? We seem to be assuming that this system will just keep going, and we are throwing away fall-back options.

I remember as a university student when I walked into the library one day and the extensive card catalog had disappeared! “No, you have to use the computer to search the library now.” Well, that was great. On my first day, I discovered that many of the older books in the library had not made it into the digital catalog. Then the next day I came in and the whole computer system was down. And where was the perfectly good card system that had been there 100+ years? Probably off at the tip somewhere, being crapped on by seagulls!

Ha! That reads like a collection of April Fools posts. :stuck_out_tongue:

1 Like

That’s exactly the problem with us discarding things like that. And while there can be huge benefits to newer systems and technology… there’s always that worry about failure, isn’t there… it’s hard for a card catalog to completely and utterly fail, unless something catastrophic happens to the entire facility; The computer system can be taken down by a single server issue, depending of course on their setup.

/shrug

Although, maybe we’re already past that point. I mean… My suspicion is that most “first world” countries couldn’t survive with society intact in a prolonged power outage, already… so maybe we’re already committed?

Back to the actual question - I think that it’s both. The “Internet of Things” is both “totally awesome” and definitely a “security nightmare” :smiley:

1 Like

It does kind of puzzle me a little that we are only just talking about IoT like it’s something new and ‘just happening’ - what are smartphones, if they are not “a thing”? When was the last time you updated your AV protection on your iPhone? Should something like that exist, or are they all invulnerable?

I feel like smartphones fall into the same category as other computers that we use normally, now - PCs, Laptops, Tablets, Phones - devices. IoT seems to refer to me more to the “things” that aren’t really multifunctional devices that we use. Not sure if that’s the way everyone else looks at it.

So smart lighting, thermostats, connected cars, signs, peripherals etc… those are more of “things” to me.

I’m not 100% sure what the AV protection on phones comment has to do with the topic - can you help me out? I know my phone doesn’t have AV. I also know that, at this point, we still aren’t at the place where phones are targeted as much as other devices. If we keep edging towards the continuity-approach though eventually we’ll be forced to consider it as we’ll probably end up with a phone that simply docks into other devices (Screens, etc) as our main device :smiley:

I think the security concerns stem in part from the fact that we’re opening up dozens, hundreds, thousands of different kinds of endpoints for intrusion into networks, and breaking away from the traditional “device” categories that are normally connected?

It was intended as a bit of a rhetorical question - I was just looking at it as a potential attack vector that the villains might choose to leverage in the future. Right now, I’ve no clue what defenses exist against the bad guys taking control of our smart devices - maybe the security we need is inherent in their design, but maybe it’s not.

I understand what you mean when you say you don’t think of smartphones as ‘the things’ in IoT, but I’m curious why we wouldn’t do so, is it because they’ve become so ubiquitous that we’ve dismissed them? At one level, it’s just another CPU chip in a differently shaped packages - are the villains giving them a free ride all of a sudden?

Like these you mean? http://www.wired.com/2015/04/microsoft-continuum/

I guess I just view smartphones as lumped in with computers, as opposed to lumped in with “the things” is all I meant.

Like these you mean? http://www.wired.com/2015/04/microsoft-continuum/

No. I mean, a phone that IS the only computer, as opposed to a bunch of devices that run the same apps. But, I can see that working out too, W10 is sort of the next step that direction.

Understood. I’m not aiming to be argumentative particularly, just taking a slight sideways glance at what’s already commonplace.

Yeah, I hear you. So, sidebar off of what you were talking about.

Does anyone know why phone platforms aren’t targeted more than they are? Is it just a matter of time? I know they are, some… but for the most part… ? It seems like that’d be a mass of prime targets. I don’t know enough about mobile security to give a good response without a bunch of research though.

I would imagine there is not much to be gained. What would a ‘bad guy’ get? The opportunity to phone all your friends and ask for money?

Remember, too, that the mobile phone is a bit unique because its communication protocol and the network it uses in NOT publicly accessible. Only when your phone is using WiFi does it behave like ‘other CPU devices’.
The phone network has its own layer of protection (and a form of encryption) and there is not a way to “step in the middle” or “fake” a dialogue with the device.

Me too. I do not profess to be an expert on this. I have 10+ years of experience in the Telecom industry but, admittedly, that ended shortly after the “smart phone” revolution.

I imagine a bad guy could get as much or more from a lot of smartphones than from a good amount of computers, though. I mean, just to start with, most people’s devices are logged permanantly into their email accounts, which we all know is the gateway to anything you do online that doesn’t have two factor auth, basically… additionally a lot of people have a lot of other stuff on their phones. Banking, business. Cloud storage. Etc. /shrug
I have no idea what you’d do, how you’d access it, and what you could do with the methods available… but there’s definitely stuff worth taking there.

Remember, too, that the mobile phone is a bit unique because its communication protocol and the network it uses in NOT publicly accessible. Only when your phone is using WiFi does it behave like ‘other CPU devices’.

I definitely agree about phone networks - that’s not going to be a prime way to get to people. But WiFi - most smartphone users that I know are always on WiFi when it’s available. Very often, it’s public WiFi, and they don’t restrict their Internet usage because of that fact at all.

/shrug

Me too. I do not profess to be an expert on this. I have 10+ years of experience in the Telecom industry but, admittedly, that ended shortly after the “smart phone” revolution.

Yeah… I’d come from the other side and have just enough IT support experience and interest in security to have a general idea (regarding phones) but I was never involved with anything to do with mobile security so… just shooting the breeze basically :smiley:

The paradigm of IoT is happening. We can’t hold it off. Yes, we can be concerned and yes, we might want to step back and think about the possible consequences. But, I doubt it will help much to actually take action. Humanity has always taken large steps forward and always ended up having to take a few steps back. It is inevitable and it is normal.

Scott

Just like Bruce Schneier’s comment - “No one’s paying any attention to security, no one’s doing updates, no one knows anything

I ran across an AngularJS based shopping cart. The code had the checkout parameters out in the open in the app.js.

Having come from a Windows application background, this kind of thing makes me skeptical of using any Javascript framework such as AngularJS. It is exposed in the client vs. only being coded on the server and having presentation only sent to the client.

2 Likes

I completely agree with this and I don’t think it’s as unlikely a scenario as one might think.
For example, a couple of days ago I came across this worrying article:
Britain may be forced to ration the internet, as web use could consume 100% of nation’s power supply by 2035
It’s a bit of an alarmist headline, but the point is valid.

Too true. I get edgy if the Internet is down for more than an few minutes (although thankfully that rarely happens here). When you think that the Internet has only really been a thing for the last 10-15 years it is amazing how dependent we have become already. For example, without it I cannot work (as I work remotely).

Erm, next question …
Do you have AV protection on your phone?

Another question I have: is anyone using the IoT to track their fitness? There was a great article by @patrickcatanzariti on the JS channel recently, which concerned the Jawbone UP and how to programatically access the data it stores on you. This got me interested to the point of seriously considering buying one.

Does anyone reading this own a fitness tracker? Can these things be recommended?

1 Like

Nope. Which was kind of my point. Does it exist? If it does, I’m not sure I know what it is, but right now I don’t know whether it needs to either.

For Android, definitely: https://www.google.com/search?q=antivirus+android

For iOs, not sure. I found this: https://itunes.apple.com/en/app/avira-mobile-security/id692893556
But it seems to be focussed on preventing email hacking, or recovering a lost phone, as opposed to typical malware detection.

From what I’ve read, it seems that Android is considerably more susceptible to attack than iOS (as you can only install apps from the Apple store without jailbreaking your phone).

I’m on iOS so that’s probably why I’m a bit vague on the subject.

Some years ago, an explosion at Melbourne’s main gas supplier meant that the city had no supply for weeks. It was a month of cold showers for millions of people, and was quite a shock to the whole system. It should have been a wake-up call that the systems we are building and coming to rely upon are very fragile. The same thing could easily happen to the power supplies, or petrol/gasoline etc.

Anyway, this reminds me to find that tin foil hat I keep for emergencies … :stuck_out_tongue:

Yeah, I don’t have any AV on my iPad. I try and keep the amount of third party apps to a minimum and hope for the best.
I think the worst thing that would happen if I was compromised, would be that they gain access to my email, which as Jeffrey pointed out, is the hub of everything else.

Quite. In the UK in 2000, lorry drivers blockaded the oil refineries and the country quite literally ground to a halt overnight. This brought our utter reliance on petrol sharply into focus. However, when the blockade was lifted, things went back to normal and the topic quickly faded from people’s minds. And that’s the problem with issues like this - they are so complex on so many levels, that we tend to suppress them from our minds, carry on regardless and hope the politicians have us covered (which they probably don’t).

2 Likes

The only thing I think they are interested in covering is their own arses…