The Cloud, turned out to be a means for everyone to see their most beloved celebrity naked.
Big Data, turned out to be a means for data mining for further invasion of our privacy.
The Internet of Things (IoT), currently our most beloved word, will highly likely lead us to disasters caused by internet based attacks no one has ever (yet) dreamed of.
The industry seems to be moving a lot faster than internet security experts can catch on. The notion of security is at total loss as the companies move forward, without taking proper precautions into account, and prematurely introducing new products and services that are slowly converging into autonomous systems.
I do realize I sound pessimistic about the subject; we must always move forward but with taking precautions before going full ahead to disaster.
Let me give you a few examples as to what can be achieved via Internet of Things related technologies as of this writing:
- It is now possible to remotely murder someone with vulnerable medical equipment.
- You can hack the thermostat of a smart house
- You can remotely stop a car on the highway
- Hack through some aircraft systems while flying
- Create one of the biggest DDoS attacks the world has seen with a large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras.
So who will control and secure the IoT devices ? That is a question that needs to be answered before things get really out of control. It is not a sci-fi movie any more, your fridge will now order food for you. One can only imagine what an internet enabled toilet can do; hopefully not the things that come first into our twisted minds.
Two things need to be solved immediately, before these devices increase in terms of number and also level of autonomy.
Device transparency and forced firmware upgrades
IoT enabled devices must share common security features and must allow forced firmware updates to increase level of security without human intervention.
Network infrastructure changes
Software Defined Networking (SDN) may lead the way to implementing policies to define what types of IoT devices may perform what types of actions thus limiting the likeliness of these devices from becoming Bots to participate in attacks. But the question remains as to how these will be applied to your typical router at home which obviously has no SDN or professional firewall/IDS capability.
What Not to Expect from a Typical User
The WEP wireless encryption algorithm was cracked in 2001 and it is still in use in many homes; moral of the story being you cannot (or should not) expect a person to take security measures on his/her own, as a router is just a device that connects the household to the internet, which was set up some time ago by a technician sent by the telecommunications service provider.
It is therefore now the manufacturers’ job to enforce security measures in these devices, either by the forced firmware approach I mentioned above or by some other method which needs to be discovered as soon as possible before something terrible really happens, as in my humble opinion the IoT implementation in its current state, is simply an accident waiting to happen.