As with the cloud, where virtualization was the key to unlocking the potential, the Internet of Things was also unlocked by a common denominator technology: the drastically falling price of sensors. Sure, the “Things” of IoT are networked and have computing power at the nodes, but so too does the plain old internet (PoI). What makes IoT different from what came before is the ubiquity of sensors of all types.
One of the first embodiments of IoT in my book was the iPhone 4s (although some of its features had been previewed in the iPhone 3GS). Of course many claims could be made for the first “thing”, but the addition of Siri voice recognition and response, and a more capable chipset make the 4s as good a candidate as any. With that addition the 4s enjoyed a list of sensors including: 3-axis accelerometer, compass, up/down orientation sensor, voice recognition, touch screen, 4 RF sensors (receivers – cellular, bluetooth, GPS, and of all things, FM radio), a light sensor, 2 cameras, the plug controller for both electricity and data…and no doubt more. We tend to think of phones in other categories, but as a sensor platform they are unparalleled.
Most estimates are now calling for upwards of 20 billion IoT devices by 2020 (which BTW necessitates IPv6 to provide addresses for all those devices…see Oct 9 post for more on IPv6). A the chart indicates, these networked sensors will be everywhere, and in every sector. Since the cybersecurity issues with IoT things are essentially the same as general cybersecurity concerns, one might have hoped that the introduction of IoT would be more security-conscious. Alas, in the rush to get devices to market, we are now seeing the same set of issues with IoT that we have seen for so long in enterprise networks. The chart at right represents one of a number of studies on devices on the market in 2014/2015, and essentially no devices tested were secure from all of the most common vulnerabilities. Worse yet, many components of our critical infrastructure, including airlines, automobiles, and the power grid are now being updated both to bring components onto the network as well as introduce IoT-type sensors for better control…and increased vulnerability.
So what would it take to secure the Internet of Things? Basically the same set of things required for the internet at large…don’t build security flaws into the software, make sure the devices are continuously updated, keep these devices separated from your other operational networks, control access and data flow. Of course IoT is worse than the PoI, not better, due to the many new vendors and users who are less familiar with the risks than the traditional IT security professionals.
The current state of understanding of IoT security is the new ISACA 2015 IT Risk/Reward Barometer, which surveys 7,000 ISACA members and 5,400 consumers from various countries to understand their concerns. Almost three-quarters (73%) of the security professionals believe their business is at a medium to high risk of being hacked via an IoT device, and the same number believe IoT security standards are not adequate. Consumers want more, but are again woefully unprepared for managing all their devices (most underestimate the current number of devices in their household by about 50%) or the data losses likely to result.
The regulatory side is also in flux. The Federal Trade Commission is taking action, seemingly looking towards more broad-based privacy protections rather than anything specific to IoT. Key industry leaders are leery of intrusive legislation or regulation, and the new IoT Congressional Caucus seems to be primarily focused on bringing Congressional colleagues up to speed on how to spell IoT, and the implications. Unfortunately, there are clearly some misguided regulatory efforts. A draft bill in front of the House Energy and Commerce Committee would create fines up to $100,000 for unauthorized access to motor vehicle systems, even if you own the car. This is the latest salvo from the automobile industry, unbeknownst to most consumers, looking to establish that you don’t really own the software that runs your car, or even have rights to inspect or modify it. While this is especially egregious in light of the recent Volkswagen scandal involving software that defeated regulatory compliance, the automobile industry is certainly well-funded and persistent.
IoT will certainly become a pervasive fact of life over the next 5 years. It poses yet another daunting round of technical, legal, privacy and regulatory hurdles that will take years to sort out. As a consumer, your options will sound familiar: be aware of what devices you have and allow into your environment; for home use, control what you allow on your network; be careful what information you allow to be shared, and with whom. But there are more options here as well, given the state-of-play of IoT. You can choose to help influence the debate beginning in Congress on regulating this industry, or on the FTC rule-making regarding your privacy. You could choose to become involved in advocacy groups like EFF or others who are active in these discussions. We do have a voice in shaping our technology future.