IoT security embarrassments will slow uptake in 2016
Mon 11 Jan 2016
Michael Neale (@), engineer at CloudBees, outlines his 2016 predictions for the Internet of Things, explaining why security embarrassments around IoT devices will slow their uptake, while people get their house in order…
As Christmas becomes a distant memory, popular gifts of connected devices such as Bluetooth toothbrushes, fitness bands and smart toasters that regular folk have received, put us firmly in an era where there is risk of a short term backlash against the so-called Internet of Things (IoT) – or at least I hope so, and I will explain why.
Last year there have been many documented cases of quite serious security flaws with “Things”. A lightbulb that leaks your WiFi passwords. A toaster that could be part of a botnet for Distributed Denial of Service (DDoS) attacks, and much more. This should come as no surprise – IoT devices are ideal participants in DDoS attacks because they are usually turned on, connected to a home network, and most owners will be justifiably oblivious of the network conversations their gear is having.
These are bad things, but unlikely to change people’s buying behavior. However, when your fridge says things like “Please check your email in Google Calendar website” it is just a hint towards the irritation that will become real in 2016. Always leading the geek zeitgeist, the Twitter account “Internet Of Sh*t” chronicles amusing tales of bad IoT ideas, or IoT gone wrong. Go on, take a look… (it’s hard to look away).
The above types of bad-ness are really two sides of the same coin: software quality. A symptom of an early market, with products shipping like crazy, is bugs. Bugs mean security holes and irritation. I think the irritation caused by these early products, combined with early media hype around the security challenges, may cause people to hesitate before buying a Foot Spa that has a MAC address (“Like This Foot Massage On Facebook”) as gifts for the 2016 holiday season.
I should be someone that loves IoT. As a former Electrical Engineer, I used to build industrial plants, and SCADA systems (used to monitor and control industrial processes). As a result, I was acutely aware that buggy software could lead someone to be crushed to death by a large machine, so perhaps that is the source of my “fear” of the IoT gold rush, and that fear is unfounded.
I’m no luddite and I even participate somewhat… I have an excellent Nest thermostat for my home office (see picture). It learns to keep me toasty warm on winter mornings (in the Australian summer, as you can see it is here now, it sits around bored as I don’t have it wired up to the cooling. Probably watching me, plotting its strike on humankind.) It is truly a great piece of kit. It updates seamlessly (I never even know) and I have it on good authority its security story is very strong. Nest (now Google) put a lot of serious engineering and expense into getting its software right.
Another great piece of kit is the Tesla Model S electric car. As everyone I know seems to own one (except me), they too are serious IoT devices (that you can drive). Similarly, they also have a great update story, security and reliability story, with lots of hard work put in by Tesla software engineers (bless them).
Both Nest and the Tesla seem to have mastered the trick of continuously delivering updates to their appliances/devices (I would love to hear more about their story) and I am sure in time, other IoT vendors will too, and the world will be better for it.
In the meantime, I can change the colour of one light bulb in my house while out and about, and convince people it is haunted. Happy new year!