The Internet of Things? It's really a giant robot and we don't know how to fix it

Computer security is now everything security - but protocol isn't keeping up with the risks, warns security expert.
Written by Danny Palmer, Senior Writer

"The internet now thinks and senses and acts and to me that's the definition of a robot".

Image: iStock

The rise of a global Internet of Things network is ultimately creating a giant, internet-connected global robot which is so disparate and insecure that cyberattacks against it are going to cause major societal problems if it isn't regulated.

With more and more devices becoming connected to the internet -ranging from kitchen appliances, to motor vehicles to entire power stations - soon cybersecurity professionals won't just be responsible for ensuring computer networks are safe, they'll need required to ensure all the connected devices in the world are safe.

"As everything turns into a computer, computer security becomes everything security, said cyber-security expert Bruce Schneier, speaking at the Infosecurity Europe conference in London.

"This means two things; the knowledge we have about computer security is suddenly applicable to everything and the restrictions and regulations and controls from the real world start being imposed onto us," he said, adding "The place where we're first seeing this collision is the Internet of Things"

There are IoT devices for everything - sensors which collect data, sensors which sense movement, smart televisions and digital personal assistants which are always watching and listening to potential commands and there are internet connected devices which perform manual tasks.

Schneier argues that if you take the standard definition of a robot, the IoT matches it but on a global scale rather than just inside a metal case.

"The internet now thinks and senses and acts and to me that's the definition of a robot," said Schneier. "To me, the correct way to think about the Internet of Things in general is that we are building a world-sized robot without even realising it".

Robots: An amazing tour through the biggest collection ever assembled

But that's a problem, because the controls and processes are spread across the world, built and controlled by different organisations who have different goals and ideas. Nothing has been deliberately designed to fit in with the rest of the Internet of Things, meaning unregulated but equipped with capability to have real world impact.

"Computer security becomes everything security," said Schneier, who referenced the WannaCry, ransomware epidemic as a cyberattack with real world consequences - it stopped people getting hospital appointments because IT systems were down.

But in this case, there were no-life threatening consequences as it mostly just froze staff out of computers, but what if a cyberattack damaged medical devices?

"It's a threat which actually affects lives. It's fundamentally different between when your spreadsheet crashes and you lose your data and when your heart defibrillator crashes and you lose your life," said Schneier.

The industry has become used to reactive security updates and patching as defending systems against attacks has mainly fallen to the market - an approach which Schneier said has "worked mostly okay" but "not great".

However, these imperfect solutions got by because "the effects of failure weren't that great". If a machine crashed, it had to be rebooted - or in the case of an emergency, the likes of Google, Microsoft or Apple have a team of specialist engineers who "on call to quickly write patches when vulnerabilities appear".

That isn't true for the Internet of Things, with devices like routers and home entertainment systems built by organisations who might not even consider the need for in-built security or security patches - with no option of updating them if the need arises.

"These are produced at a much lower cost at a lower profit margin, built offshore by third parties and they just don't have security teams associated with them," said Schneier. "Even worse, many of these devices have no way to patch; right now, the way you update your DVR is to throw it away and buy a new one." That's if users care about security at all.

"In a lot of cases we can't fix this because neither the buyer or seller care. Your DVR might be part of the Mirai botnet and you can't tell. But it's cheap, it's working, what's the problem? The problem is someone else is the victim of a DDoS attack because of your insecure VCR," said Schneier.

So what's the answer?

"We're going to get government intervention here because the market won't fix this problem by itself," Schneier said and pointed out how this isn't an unusual thing - the likes of food safety, vehicle safety and road safety and more all became safer because the government got involved. "that's actually normal, the market rarely faces safety without government intervention," he added.

If that doesn't happen before there are billions more IoT devices in the wild, that's going to leave individuals and organisations open to all sorts of cyberattacks.

"A lot of this will be cheap, low hanging fruit for attackers. They're going to have entry points to larger systems, larger more powerful botnets in these sub-few pound devices," Schneier warned.


Editorial standards