The future may be an interconnected Web of devices known as the Internet of Things, but today we are stuck with a haphazard collection of “things on the Internet” that are bleeding personal and other data.
And it’s poised to get worse before it gets better.
Stories about today’s “things” profess promise, but show folly: Monday’s revelation of tens of thousands of Web cameras collated on one website and blindly broadcasting their moving picture across the Internet; home automation systems revealing passwords and cryptographic keys or turning baby monitors into bugging devices; and televisions and refrigerators sending out malicious emails.
We’ve seen this movie before (pun intended) most recently in September 2013 when home security camera vendor TRENDnet was slapped by the Federal Trade Commission, which has made regulation of the Internet of Things a major priority.
What does this circus look like if the Internet arrives at Gartner’s prediction of 25 billion connected devices by 2020?
Who or what are the victims when billions of devices are connected to the Internet? Privacy and anonymity are two of the most concerning answers.
What is the potential good and evil when devices are set to collect and share data on your behalf, signal your whereabouts, or continuously stream data from your fitness band or wearable sensors?
As connected devices embed themselves deeper in every day life the extraction of data balloons. Anonymity shrinks, profiles emerge, manipulation becomes a possibility, security and privacy fears grip users, and governments and hackers show up in the shadows.
Where is that data stored? Who owns it? Who has access to it? And who is liable for its protection, unintended release or stealth aggregation?
In this month’s Harvard Business Review, Alex “Sandy” Pentland, the Toshiba Professor of Media Arts and Sciences at MIT, talks about data collection and the Internet of Things. His six-year-old New Deal on Data has fostered such legislation on data collection as the Obama Administration’s proposed Consumer Privacy Bill of Rights and the EU’s data protection directives.
There is value in data and therefore avenues for abuse by both companies and hackers who may pilfer it. The New Deal on Data tips the balance in favor of the individual from whom data is being collected, giving them rights similar to those they have over their physical bodies.
On top of collection issues, the sources of this data also have flaws to sort out if they are to be part of a logical and manageable infrastructure.
What’s missing includes a common language for devices to talk to one another, an identity and security layer for identifying and verify “things,” standard security constructs that define upgrades to firmware or software, and methods to combat devices that are compromised and assimilated into botnets.
And there is always the chain’s weakest link – end-users. In this week’s exposure of openly accessible Internet Web cams, the main issue was end-users who neglected to change default passwords.
Device makers can’t use engineering to correct novice end-users, or worse, sheer ignorance.
In fact, they are not doing so well in engineering at all. A recent HP Security Research report showed an alarmingly high average number of vulnerabilities in 10 of the most popular devices in common Internet of Things categories. Those vulnerabilities ranged from Heartbleed to Denial of Service to weak passwords to cross-site scripting.
Michael Coates, director of product security at Shape Security and chair of The Open Web Application Security Project (OWASP), wrote in Venture Beat recently, “If we’ve learned anything from the last decades of the Internet and computer security it’s that we should be proactive in our security planning.”
To that end, OWASP has created a list of the Top 10 security problems with Internet of Things devices, and how to prevent them.
The list includes Web/mobile/cloud interfaces, authentication/authorization, privacy concerns, security configurations, and physical security.
Things on the Internet clearly need a lot of work before we can flip the wording and transform into the Internet of Things model trending in futuristic technology discussions. There is still plenty of work to do on security, privacy, infrastructure and data collection. Are there other issues that have yet to come to light? What are they?