Estimates vary widely, but by 2020 there is expected to be many billions of internet connected devices. Many of these devices will have been designed for a given purpose, but many will just be things to which we have added a cheap sensor. The vast majority of the IoT devices will have little or no protection against online attacks. So the IoT is going to create billions of unsecure endpoints in all of our networks.
Many of these devices will have very tiny and primitive processors incapable of any of the kinds of security protection we use today such as anti-virus anti-malware software. The devices are going to be built by a multitude of different companies and have a wide array of capabilities and vulnerabilities. And unless some standard is developed, the devices will use a multitude of different protocols such as Zigbee, WebHooks and IoT6. And perhaps we don’t even want one standard because that could make the whole world susceptible to an effective virus.
Unlike today’s viruses which can cause computer and network problems, an IoT an attack will be able to inflict real world damage. The obvious examples always used include attacks against insulin pumps or pacemakers. But damage can come from anywhere when hackers can address cars, heating and air conditioning systems, water systems and door locks.
There haven’t been many advertised hacks against IoT devices today, mostly because hackers have so many other lucrative places to attack us. But I just read this month how hackers gained access to some electric company grids through their smart metering systems. It won’t take a lot of playing inside an electric network to cause real harm to generators, substations or transformers.
There are some proposed solutions to some of these problems. For example, smartphones and tablets today have elements like SIM or Trusted Execution Environment (TEE) that are secure cores out of the reach of hackers. In those devices we can load credentials into those safe environments which allows us to create a true identity for the device that can be validated by the rest of the network. The more sophisticated IoT devices could deploy the same sort of technology.
We can do something similar for ‘dumber’ devices using something akin to the chip and pin systems that are used in Europe to protect credit cards. Those technologies allow banks to establish the identity of the person trying to complete a transaction.
But to get protection into the IoT is going to require both standards and compliance by manufacturers. Consider the American banking system which is not implementing the same safety standards as Europe, even while tens of millions of credit card numbers and PINs have been stolen multiple times. Just having security is only going to work if the people making the IoT devices spend the money to implement the technology. There will plenty of manufacturers who will cut corners on security to save money.
Further, many of the IoT technologies being contemplated involve swarms of very small sensors connected in clouds and used to monitor our environment. Whether these be deployed in our blood stream to look for signs of illness, or deployed in nature to watch endangered species, these devices will be of such a tiny nature that it will be impossible to add sophisticated software security.
Obviously solutions will be developed because the public will demand it. But before that happens I envision some dramatic and very public cases where hacking kills people or causes other real damage. This doesn’t have to be anything sophisticated. Turning toasters on to full heat overnight might burn down houses. Locking everybody in a town out of their houses by hacking into smart door locks would wake up the public to the dangers of the IoT. I fear we are in for some bumpy roads before we figure out how to do this right.