Breaking the IOT Connection
In many ways, the current obsession with the Internet of Things (IOT) is understandable. The tech press is constantly on the lookout for something cool and fresh to write about, and IOT is this year’s hot topic. Plus, the idea of connecting essentially everything to everything is pretty compelling at a conceptual level.
However, there are some harsh realities that really shouldn’t and can’t be ignored. Whether we want to admit it or not, anything that gets connected to either a wired or wireless network has the potential to be—and probably at some point will be—hacked. Whether it’s a security camera we install in our homes, a connected module inside our new cars, or an automated building HVAC (Heating, Ventilation, Air Conditioning) system within the buildings we work or visit, the threat is there.
Unscrupulous individuals could leverage the connection to these devices to either cause functional difficulties on the devices or systems themselves, or simply to use them as a backdoor entry into other devices on a connected network and create problems there. We’ve already seen incidents of individuals who’ve shown that they can “break” into various car systems to cause potentially lethal issues to still or even moving cars. It’s also been reported that some of the bigger hack attacks on large corporations actually came through seemingly innocuous devices (like connected HVAC systems) sitting on their networks.
Of course, security-related issues for connected devices are nothing new. We’ve been reading and hearing about computer-based hackers for several decades now. But what is new is the amount and range of devices being connected to a network. With IOT, the number of connected devices goes through the roof. On the one hand, you could argue that this makes the likelihood of an attack on any particular device go down. However, the overall attack surface is increasing so much that it’s creating an extremely attractive target for the more sophisticated, organized and aggressive hackers now initiating these attacks.
A big part of the problem is that most of these new IOT devices are not being brought to market with a robust security model in mind. Instead, the focus is on offering simple connectivity in order to give them new functionality, with easy access being a core part of this new capability. Combine this with all the well-intended efforts that have been introduced over the last several years to make networking easier, and you’ve got the recipe for a potential disaster.
Another key part of the issue is that it’s difficult to think through all the potential scenarios that these kinds of IOT devices might be put through. What we really need are extremely simple tools that can tell us things like what kind of information is being broadcast around our networks; what sorts of “requests” for information are being sent to our networks, how to block and/or stop this kind of information, straightforward explanations of what it all means, and so on.[pullquote]I’m concerned that if we keep moving in the direction of letting everything just start connecting to everything else, just because it can, we’re in for some very difficult challenges.”[/pullquote]
At the same time, despite the potential hit on convenience and ease of use that this might entail, we need to give serious consideration to making more network and communication settings “off“ by default. Admittedly, this a different (and difficult) mindset for most vendors to adopt, but I’m concerned that if we keep moving in the direction of letting everything just start connecting to everything else, just because it can, we’re in for some very difficult challenges.
As technological improvements around IOT connectivity start moving faster, it’s not only worth our while, but essential for us to step back and really start thinking about what the implications really are and will be. There will always be tradeoffs between convenience and capability and ease-of-use and privacy, and sometimes and for some people, those tradeoffs will be worth accepting. However, for many, the potential risks outweigh any minor potential rewards. If vendors, and the tech industry overall, really want IOT to reach the kind of potential that many believe it has, they’re going to have to put security (along with clear explanations of security issues and settings) at the forefront of their efforts.