With some astonishment I read last week's IoT paranoia-inducing Op-Ed column in the New York Times, "Why Smart Objects May Be a Dumb Idea" written by Zeynep Tufekci, who is an assistant professor at UNC Chapel Hill's School of Information and Library Science.
There's a famous George Bernard Shaw quote from his 1903 play Man and Superman that many of you are probably familiar with that I'm inclined to use here as it relates to the competency and real-life experience of teachers and academia.
Despite my overwhelming urge to facepalm after reading Tufekci's paranoid missive, I actually do value educators and academia. When used, Shaw's venerable sound bite often paints them with an overly unfair and broad stroke.
I don't know Tufekci personally and what her industry qualifications outside academia are, so I'm willing to give her the benefit of the doubt.
Tufekci does make some good points about security, and uses the example of the hacked Jeep Cherokee imbroglio to make her point that perhaps, cars and many other devices should not be networked or internet-enabled.
I fundamentally disagree with this assertion. And frankly it's a bit too late for promoting the IoT Luddite movement.
Look, there are far too many advantages in connected products which outweigh the potential security risks. And while it is true that security has often taken a back seat to connectivity in many consumer IoT devices, this is a rectifiable situation.
There are certainly costs associated with it, but it is fixable, and requires better cooperation between makers of IoT devices to standardize on protocols and more resilient authentication mechanisms, as I explained in a previous post.
The idea of a connected car which can be penetrated by a hacker to cause it to lose control or to become disabled is a frightening one. But the reality is that the average individual driving a connected vehicle is not going to be the subject of such targeting, and a certain level of skill is going to be required in order to perform the kind of high-tech carjacking Tufekci is talking about.
I myself found myself placed in Tufekci's position last week, when I decided to take an Audi A6 TDI for a spin at my local dealership. The A6, one of the leading luxury performance sedans, is a technological marvel.
One of the features it has is that it can act as a Wi-Fi access point and with an optional SIM card, it can be directly connected to the Internet using 4G. This enables the on-board GPS navigation system to directly access Google Maps and points of interest, as well as get on the fly traffic reports, without having to use your smartphone.
It greatly reduces driver distraction and provides better situational awareness, keeping your hands on the wheel.
Now, the skeptic in me raised some red flags in the back of my head. Wi-Fi? In a car? Direct connection to Google? How can that possibly be good? Couldn't someone potentially hack into my car and cause me to lose control of the vehicle or stop it in its tracks?
Sure, it's possible, but unlikely. We also have to think about the positives of having connected cars and appliances.
(And yes, I'm well aware of the latest Megamos Crypto RFID transponder keyless entry and remote ignition system issue that Volkswagen brands such as Audi and other car manufacturers are vulnerable to. But that's got nothing to do with IoT.)
The big plus is proactive maintenance -- by having diagnostic telemetry from a car's systems, a company like Volkswagen/Audi would know the instant something was wrong or was exhibiting behavior out of normal diagnostic tolerances, and could alert the driver accordingly to bring the vehicle into the dealership for service or it could even dispatch roadside assistance to the driver's location.
The same could be said for connected refrigerators, washing machines, cooktops, microwaves, air conditioning systems, or what have you. Proactive maintenance and crowd sourcing of performance data allows manufacturers to gain better insight into how their products are used and ultimately provide a better experience for the end-user.
That's how NEST got its claim to fame, by being able to set your HVAC system according to how other people in your neighborhood or city are also using their heating and air conditioning systems, so that you can save money on your electric bills.
One of the ways we can avoid IoT security paranoia -- in addition to standardizing on better authentication mechanisms is to move to the IPv6 stack for all IoT devices and to have IPSec be a requirement for device to device and device to cloud communication. And to use much stronger and longer encryption keys.
This is really a necessity because we've effectively run out of IPv4 address space and device proliferation is going to make IPv6 a virtual requirement. But that means broadband and wireless service providers as well as consumer and carrier network equipment manufacturers and the IoT vendors need to get on board with this quickly.
And yes, longer/stronger encryption keys for Wi-Fi networks as well as standardizing devices on the current WPA2+AES+CCMP implementation and using end-to end, strong IPSec means that will need more powerful SoCs and baseband chips offloading data transfer on the IoT devices and the associated base stations so performance does not suffer.
It also means the devices that cannot be upgraded to use these standards or protocols will probably have to be thrown out with the bathwater if security is a prime concern.
Manufacturing costs are going to increase initially, but long term, with volume production, that will only be a temporary situation.
Oh my God, you might have to pay $10 more for the premium of having a safer IoT device. The horror.
Another way to improve security on IoT devices would be to add multi-factor authentication (MFA) which has become increasingly popular with cloud connected services such as Office 365. This could be as simple as having your phone number called when an unrecognized connection attempt occurs on a IoT device you own, and you having to authorize or deny it.
In my own home I have a good 30 or so connected devices, ranging from smart switches, smart light bulbs, smart fans, smart thermostats, smart pool controllers, smart entertainment systems and set-tops, and smart alarm systems. That's not counting all the smartphones, tablets and personal computers.
All of which I have separate apps to control and integrate. That alone, even for someone as technically inclined as myself, is a pain in the rear. Now, if they also all used separate MFA systems to secure them from unauthorized use it would become a nightmare.
Ideally I'd like to use something like Azure MFA or some other federated solution, and to be able to control that all from one or possibly two apps/services at the most, so I can keep track of this from an auditing perspective.
Perhaps the gross auditing of these types of things should or could be outsourced as a managed service, much like alarm systems have professional monitoring services, so I only would receive the most important events.
Otherwise, I could see myself and the average consumer becoming completely overwhelmed by keeping their device-connected lives secured. It's a service that I and many other people certainly be willing to pay for.
Nevertheless, I'm not going back to a disconnected world. The genie is out of the bottle.
Is IoT security unattainable? Or is it simply a matter of rallying the industry to embrace the proper standards? Talk Back and Let Me Know.