The Internet of Things (IoT) will be great, I’ll be able to tell my refrigerator to defrost those steaks I want for dinner before I leave the office. I’ll be able to have my house warm before I get home from working overtime on a cold day (hello Nest). According to McKinsey Global Institute, the Internet of Things has the potential to create an economic impact of $2.7 trillion to $6.2 trillion annually by 2025 (McKinsey Global Institute, Disruptive technologies: Advances that will transform life, business, and the global economy, May 2013). From Microsoft’s White Paper on IoT for business:
“The term “the Internet of Things” isn’t new. It was actually coined nearly 20 years ago by professors at MIT to describe a world where “things,” which can be devices or sensors, are both smart and connected, with the ability to collect and share data. Data coming from those devices and/or sensors is endless, and when combined and analyzed with other types of data, it can uncover insights that were out of reach in the past.”
There is a statement in the Wired article Why Tech’s Best Minds Are Very Worried About the Internet of Things which declares the importance of IoT: “Everyone will be affected by this collision of hardware and software, by the merging of the virtual and real”. This Wired article is a very good summary of my view on IoT, but I would like to expand 3 reasons we are not ready for the Internet of Things.
1. Increasing Complexity
“The web will be embedded in everything from your car to your sneakers”. We will live in a world where many things won’t work and nobody will know how to fix them”. How many people can set the clock on their DVR? How many people can fix their PC, tablet, or smart phone application problem?
How are users expected to set up, configure, manage, and update everything? Download the app to your smartphone to connect to the device, make sure everything is connected to the same network? Or are the device manufactures going to ask users to remove WiFi passwords, or other approach that reduces the consumer’s security posture to make the devices work? Are vendors going to deploy WiFi cracking or security bypassing techniques to make it easier for users to set up and use?
2. Loss of privacy (or anonymity)
Also in the Wired article was the statement “By 2025, we will have long ago give up our privacy. The Internet of Things will demand–and we will give willingly–our souls.” In my view, most people have already given up their privacy in 2014. This involves the ethics of it.
Pay attention to that last point in the opening quote from Microsoft: “uncover insights that were out of reach in the past“. Why do you think that large corporations such as Google, Microsoft, Yahoo, Facebook, and others, are so interested in IoT? They already collect a tremendous amount of tracking and personal data about us that in many ways we have already lost our privacy and practical anonymity.
I think user “jose_e” put it poignantly in his comment to the Wired article:
“The crucial thing to consider about the I.o.T. is its integration with Big Data, which wasn’t mentioned in this article. If every ‘thing’ around us is keeping track of some aspect of our use of it, over time that information will coalesce into recognizable patterns, to the degree that our preferences and behaviors — thought and action — will become so predictable and ‘easy to use’ that the inconveniences of free will and self-responsibility could easily become ‘outdated’. I think that’s the real fear when people say stuff like “reduction of people into numbers: the dark side of the quantified self” and “The Internet of Things will demand–and we will give willingly–our souls”. I don’t think it’s as much about privacy (which sounds kind of vague) as it is about a condition of diminished human agency.”
IoT further negatively impacts misbehavior: ID theft. Stalking. Custody disputes. Freedom of Speech (inhibiting the feeling of being able to speak without reprisal). And more….
3. The Internet of Broken (insecure) Things
“Most of the devices exposed on the internet will be vulnerable”. Most? How about ALL of those devices will have vulnerabilities, some of which may be exploited. Perfectly secure software cannot be produced. And, as complexity increases the chance for bugs, exploits, and security gaps increases exponentially.
Look, people can’t update and protect their current computer equipment even when it runs automatically, and the government and industry can’t secure their computing infrastructure.
Cyber-attack is the number one threat to the United States. IoT is going to make the current state of insecurity pale in comparison, just look at what is already happening:
- Hackers Have Used A Refrigerator To Attack Businesses
- Iot Devices and Security DVRs hacked to mine Bitcoin
- IoT Hack Connected To Target Breach
- The Government Plans An Internet Of Networked Cars (note, I’m planning a follow-up blog post to this one…)
- Track Cars with Wireless Tire Pressure Sensors
- Tire Pressure Sensors Used to Hack Cars
- Students Get an Education on How to Break Into Latest Automobiles
- Your car’s computer system can be hacked with off-the-shelf parts or Hackers Can Take Over A Car For About $20
Until the Information Technology industry begins with security design and secure programming from the very beginning (i.e., 101 course level), we will never begin the process needed to secure our devices. A good place to start is to teach and ingrain into our developers and processes the prevention of the SANS Institute TOP 25 Most Dangerous Software Errors. These 25 coding errors account for the vast majority of all software vulnerabilities. In fact, the Heartbleed vulnerability was a basic mistake of not validating the input and performing the function as eloquently shown in the following cartoon:
Finally, “They [IoT devices] will also be prone to unintended consequences: they will do things nobody designed for beforehand, most of which will be undesirable.” Exactly, how about Nest recalling its smart Smoke detector because if it detects waving arms or other movement it won’t sound the alarm or it will shut off – a design feature (wave) to make it easy to turn off the alarm when there really isn’t an emergency. There is no way we can possible understand all of the use cases (and mis-use cases) the IoT devices will be subject to, let alone the interactions between and infinite number of them.
I’m not saying we shouldn’t work towards the Internet-of-Things, but our industry has a lot of maturing and work to do before we become ready for it.