While the IoT (“Internet of Things”) promises a plethora of interconnected of devices and a boost to productivity and lifestyle alike, builders of these newly web-connected devices from refrigerators and air conditioners to automobiles and medical devices would be wise to slow the truck down just a tad.
Why? Security concerns. Like insulin-interrupters (medical devices) and mobile hackers (automobiles) and a lot of things in between. A recent article in the July 18, 2015 issue of The Economist on cybersecurity illustrates by example some of the threats that perhaps not enough folks are thinking about.
It starts innocently enough. Mattel has a new Barbie doll that with a chip that “listens.” Ask Barbie a question and she uses her built-in wifi connection to connect to a data center that comes up almost instantly with an apt reply.
At home, smart thermostats learn about their owners’ heating and cooling preferences and adjust themselves accordingly. Insulin pumps are being computerized for diabetics that instantly relay their vital signs to their doctors.
What do these all have in common? Not a lot of defenses against modern day hackers.
But then, think back not long ago to the original internet: Who was worried about worms, viruses and hackers then? Now, we worry about cars being hijacked by hackers (witness the recent huge Jeep recall when it was discovered that a hacker outside the car could take over its controls). People fear diabetics being murdered, as the article points out, by having their pumps disabled remotely (it’s been done, sans the murder part), or thieves hacking a home’s temperature settings to learn when its residents are away.
The issue here is whether manufacturers – with little internet security experience, or even the need for it up til now – can thwart a determined hacker. Most haven’t even been thinking about it much. At least not until now. Most widget-makers have little experience with these things. They are mechanical engineers by training and, as one European car maker noted, “suddenly we have to become security developers, cryptography experts, and so on, and we have no experience of how to do all that.”
Most computer and software companies have learned that perfectly secure code is a myth. Often, companies like Google and Apple actually pay hackers to find holes in their security, then patch them. It’s a never-ending cat chasing its tail problem of course – at least in today’s technology.
But the biggest threat, The Economist article notes, is that “companies have few incentives to take security seriously.” Just as in the Internet of the early 1990s, most of these threats are still on the horizon. So getting security wrong today has, for the moment “no impact on a firm’s reputation or profits.” Expect that to change before long, especially “in industries where the consequences of a breach are serious.”
Just as in the early years of the train era, when it took many boiler explosions and crashes before railways started taking safety seriously, and in the auto industry, which really only started getting serious about safety in the 1970s, safety and security protections will come to the Internet of Things – especially where real safety issues are involved.
But it’s going to take awhile, and a few bumps and bruises – and probably worse – along the way. Just something to be thinking about…