Refrigergeddon, I called it in January, this idea that the proliferation of connected smart devices that we call the Internet of Things (IoT) represents a looming security nightmare. The evidence in favour seems to be mounting. But it also seems that, once again, we're oblivious to the lessons of the past.
Earlier this month Michael McKinnon, security advisor for AVG Technologies AU, was talking to a well-known manufacturer of two-way radios, an exhibitor at the CeBIT Australia trade show. All of their new devices were now packet driven and could communicate over wi-fi networks.
Curious, McKinnon asked about their network capabilities. Could you segregate the traffic? Could you use virtual networking such as VLANs so they weren't connected to other devices on the same wi-fi network?
"They had no idea what I was asking, because their level of maturity as a device manufacturer that's just recently entered this Internet of Things space is not quite there yet," McKinnon told journalists two days later.
"The fear from the security angle is that there's a lot of this sort of thing going on, where we're seeing a replay of history happen with these immature devices."
The history McKinnon is talking about is quite recent.
Remember when that new-fangled multi-function network printer (MFP) was first installed in the office? From the manufacturer's perspective, it was just a photocopier with a few added network functions. So the person who came to install it was a photocopier technician, armed with a quick training course and a checklist.
Remember when that installer couldn't get the MFP to talk to the server because the firewall settings wouldn't allow it? What did they do? They turned off the firewall. From their tunnel-visioned checklist's perspective, the firewall was a thing that shouldn't be there. Did they bother telling anyone they'd done this? No.
Thankfully, that sort of networking clumsiness is now long gone.
Oh wait. No it isn't.
We still hear about devices with hard-coded administration passwords, or admin interfaces that don't use SSL encryption. The other day I even saw someone who does tech support for a widely-used piece of software ask, and I'll paraphrase it to obscure their identity, "What benefit would there be in using SSL for this site's logins?"
The myth persists that even such basic cryptographic precautions are needed only in "secure" networks. We keep seeing organisations storing passwords in plain text, like office.co.uk apparently does. We keep hearing that SSL encryption puts too much load on servers — which may have been true 20 years ago, but not now, not in a time of ever-plummeting hardware costs.
Surely after a year of Edward Snowden's revelations in particular, and news of endless hacks in general, we'd have learned that any and all data can be used to build a picture of a person or organisation, and that we should make best efforts to protect everything? No, apparently not.
IoT is all of this multiplied by ten. By a hundred.
If we could forget that a hulking great MFP was a computer, we certainly won't think about baby monitor cameras, or exercise bikes, or bathroom scales, or car audio systems, or party lights, or rice cookers — each with their own management app. What a mess.
The situation will be made worse by confusion about the meaning of IoT itself.
AVG's research shows that only 52 percent of Australian small businesses understand that IoT a network of connected devices that are able to communicate with one another. Barely half. Some 15 percent obviously just guessed, choosing "a type of email system", and a quarter, 26 percent, said they didn't know.
And yet 84 percent agreed that IoT would be relevant to their business to some extent. How they knew this, I've no idea. Nevertheless, this leaves considerable scope for charlatans and snake oil merchants to become part of the IoT ecology too, bringing dodgy practices with them.
But every cloud has a silver lining, as well as a wi-fi network. This proliferation of devices, most of which aren't under direct human attention and control, will need to be managed. McKinnon says that SMBs prefer to outsource to locally-based providers.
"As the explosion of devices continues, there's no question that this demand is going to continue to grow as well. There'll be more outsourcing ... as the number of devices outgrows an organisation's ability to internally manage that situation," he said.
Now I had thought that local IT contractors might be killed off, because PCs now require less maintenance, and SMBs are moving their email and other services into the cloud rather than running their own Exchange server.
But maybe they'll survive after all, and find themselves managing larger, messy clouds of IoT devices and the data they generate. At the very least, they'll be busy cleaning up after the refrigergeddon.