Theoretical physicist Michio Kaku predicts that computers, in the future, “will be everywhere and nowhere”. Join Wendy M. Grossman as she explores this Internet of Things to come
Brian Devlin, the executive director of land and environmental services for Glasgow, talks of street lights that dim automatically until triggered by approaching traffic. The security company Incapsula estimates that more than half of websites’ traffic comes from bots. Security researcher Nitesh Dhajani has shown how to go on accessing baby monitors via an iPhone long after a personal visit has ended. Implanted medical devices send patient data to doctors for remote analysis. Modern cars are WiFi-enabled computers on wheels. Government policies will have ‘smart’ electrical meters rolled out to millions of homes in the US, UK, and other countries over the next few years. These are all pieces of the nascent ‘Internet of Things’. By 2015, research firm Gartner estimates that there will be more things than people on the internet, and by 2020 there will be 26 billion of them, up from 900 million in 2009.
In other words, cyberspace is invading the physical world, bringing with it all the familiar threats, plus new ones created by the sheer complexity these new systems will have. Attackers will not be slow to spot new opportunities: at last year's Black Hat security conference in Las Vegas, Trend Micro threat researcher Kyle Wilhoit reported on the results of an experiment in which he created a series of fake water plant control systems and connected them to the internet as a honeypot. It took only 18 hours for the first hacker to visit, and within a month, Wilhoit had logged 39 attacks from 11 different countries. Add this sort of thing to current trends in cybercrime and you can see why Trend Micro VP Tom Kellerman told The New Yorker's John Seabrook in May that “we're completely fucked.”
Miranda Mowbray, a researcher in the cloud and security lab at HP Labs, takes a more temperate view: “We're probably in for a bumpy ride for the next few years”, she predicted at September's GikII conference. As Mowbray said and conversations with researchers confirm, at this stage security is, as is so often the case, taking a back seat to getting things just to work at all.
A Lurking Dragon
Security risks change when you move from connecting people to connecting things. First, device types, communications protocols, manufacturers, and system integrators are far more heterogeneous. Second, the Internet of Things will communicate almost exclusively wirelessly. Unlike the original internet, which ran over owned and controlled wired networks, or its more recent mobile variant – which has laptops and mobile phones using different ISPs depending on location – the Internet of Things, says John Pescatore, director of emerging security trends at SANS, “will have contracts for wireless data servers and will always be using the same ISP. So a lot more security functionality can, and needs to be, built into those wireless data services than we ever did on the internet.”
The awareness of lurking dragons led Pescatore to run a one-day workshop in October on securing the Internet of Things, which was handily followed by a two-day event on health security.
“One of the biggest issues in the healthcare world from a security perspective is all this medical machinery that has network interfaces but were not bought as computers”, he says. “Doctors made the decision – and you can't patch them and they often have hard-coded passwords. So the biggest lesson for the Internet of Things is, don't make that mistake again.” Instead, requests for proposals should include security requirements. Buyers should compare prospective purchases based on their security features, demanding that manufacturers explain how devices will be updated and patched and ensuring there are no hard-coded passwords, and that defaults are set to the safest options.
Pescatore notes that surveys show the beginnings of a sense hitherto unknown in the software world that software companies should bear some of the liability when things go wrong. “It's going to be impossible to spackle on security when you're dealing with millions of devices and thousands of manufacturers”, he says. “Imagine if you could go back to 1980 and tell Microsoft and IBM to build security into PCs.”
In fact, IBM has been researching and thinking about the Internet of Things for decades. By 1998, a visitor to IBM's demonstration ‘smart home’ in Austin, Texas, would have seen a web interface managing the home's many information systems. The best bit: a ticked box tells lawn sprinklers to observe municipal watering restrictions communicated directly as settings from the relevant office with no need for the owner's further input.
Currently, Exhibit A is the ultra-instrumented Isle of Wight home of Andy Stanford-Clark, IBM's chief technologist for smarter energy.
|"It's going to be impossible to spackle on security when you're dealing with millions of devices and thousands of manufacturers"|
|John Pescatore, SANS|
Stanford-Clark admits he's gone “completely overboard” with his experiments, which he monitors via a protected Twitter feed (@andy_house). He is an enthusiastic supporter of “the Internet of Things applied to the energy grid”, by which he means a two-way system whereby sensors and devices link together energy sources from wind turbines to electric vehicles and the air conditioning in large buildings – and monitors the lot. In his home test-bed, better energy monitoring has cut his bills by about a third, and he's built a system that links the Isle of Wight ferry to Twitter.
“It tweets when it arrives and leaves ports”, he says. “Having that instrument means you can get useful information and send it to lots of people without the boat itself having to do anything. It's a good example to me of the Internet of Things adding value to existing systems to give value to everybody.”
Stanford-Clark believes people may be worrying too much about security, given that, in many cases, the information being collected by sensors is not particularly sensitive.
“Don't get too hung up on doing full internet PKI on a device the size of a fingernail”, he asserts. “Build chains of trust so that you trust the next thing in the chain and eventually you get to a big enough computer that can do PKI and secure it when you go out onto the internet.” In his view, consumers will be buying systems secured by experts, with decisions being made when the system is built, and most devices will be used in limited contexts, more like Kindles and less like general-purpose PCs.
“When millions and zillions of these things are linked together there will be unanticipated complexity”, he says. "But, they'll be much simpler and won't have an operating system as such, so you can't hack into them to get access to another one. A whole load of the attack vectors we worry about with computing devices aren't there.” A sensor monitoring temperature in a greenhouse can't be turned into a webcam in his example.
On the Flip Side
Others are less sanguine. “The risks are enormous”, says Peter G. Neumann, who has warned about dangers of over-reliance on inadequately understood computer systems for decades through his RISKS Forum mailing list. “It's assuming third parties to be trustworthy, which is lunacy.”
Besides the privacy problems, “it gets back to this idea that we have a sense of the infallibility of computers, which totally ignores that hardware may be compromised, software may be flawed, and the people who run it may be incompetent or corrupt”, Neumann continues. Liability, he contends, will be near-impossible to assign. “The whole system has to be designed perfectly or fault-tolerantly, reliably, and securely. In the commercial world nobody knows how to do that – or they don't have the patience or funding to do it, or they believe it's not necessary to do it.”
Similarly, Cambridge University security engineer Ross Anderson says, “Most of the people who build new systems are totally clueless, and then an industry is invaded by the internet, and the engineers put some stuff online and don’t stop to think about all the things we [security professionals] know about.” Previously stand-alone systems going online now – air conditioning and the electrical grid, for example – are in industries that have never had to deal with information security problems before and are not really accessible to those who have. “These are engineers who have never dealt with crypto protocols, firewalls, viruses, so the first time they build it they will screw up.” Anderson has no problem envisioning all sorts of attacks, from crashing the electrical grid by remotely disconnecting a load of homes in an area at once to supply chain attacks to new methods of stealing cars.
“All sorts of assumptions people used to make about systems like that are going to come unstuck”, he predicts.
The name ‘Internet of Things’ is generally attributed to Kevin Ashton, who used it as the title of a presentation he made in 1999, when he was co-founding and directing MIT's Auto-ID Center. Ashton's original notion was to equip computers with the means of understanding the world without human assistance. Humans are not good at observing things in detail. But RFID tags and sensors, attached to physical objects, could capture everything about those objects, from the state of wear of a tire's treads to assurance that a package of fresh chicken has been kept within the right temperature range during transit from distributor to supermarket. Early visionaries talked a lot about increasing the efficiency of supply chains, reducing waste, and enabling anti-counterfeiting efforts. The idea of equipping myriad physical objects with tags and sensors was almost immediately challenged by privacy advocates, most notably by Katharine Albrecht, who went on to write a book, Spy Chips, which outlined the issues for consumers.
Around the same time, web inventor Sir Tim Berners-Lee began talking about the "semantic web" – that is, a machine-readable version of the web, enabling machines to talk to each other without human intervention. Fully realized, the semantic web would allow the automatic integration of heterogeneous types of data from a variety of origins. The effect for humans would be to automate a lot of daily administration. Other late-1990s efforts included work on wearable computers and MIT physicist Neil Gershenfeld's book When Things Start to Think (1999).
Currently, the most talked-about implementations of the Internet of Things are toll road pricing and the smart grid – if you don't count all those bathroom scales reporting their owners' weight to Twitter.