That classic cliché “It’s difficult to make predictions, especially about the future,” has been attributed to a list of humorists ranging from Mark Twain to Yogi Berra.
But it’s true of just about everything, including the vast and explosively growing Internet of Things (IoT). Nobody really knows what it will look like or how it will work (or not work) a decade from now, even though the focus of this, the final week of National Cybersecurity Awareness Month (NCSAM) is: The future of connected devices.
A few things are relatively easy to predict, though. Barring some kind of cosmic upheaval or meltdown, one element of the future of connected devices is that there will be more of them — billions and billions more — as the IoT continues to morph into the IoE, the Internet of Everything. Just since 2018, the IoT has ballooned from about 7 billion devices to more than 30 billion.
Indeed, it is so ubiquitous that it is being carved up into labeling segments.
- Consumer IoT covers everything from smart home devices — light fixtures, appliances, power tools, thermostats and security systems — to games, voice assistants and nannycams.-
- Commercial IoT applies to industries like healthcare (pacemakers, infusion pumps, monitoring systems etc.) and transport (vehicle to vehicle communication).
- Industrial Internet of Things (IIoT) includes digital control systems, statistical evaluation, smart agriculture, and factories.
- Infrastructure IoT enables the connectivity of smart cities and utilities through sensors, management systems, and user-friendly apps.
- Internet of Military things (IoMT) refers to technologies such as robots for surveillance and human-wearable biometrics for combat.
Those all illustrate the fact that the IoT increasingly applies to things that don’t just play the songs you want on your computer or give you directions to a restaurant. They will do — they are already doing — physical things with physical consequences. IoT devices can control the heat in your home, lock and unlock your doors, mow your lawn, vacuum your carpet, chill your food, control traffic signals, run an increasing number of systems in your vehicle and more.
It is not as much of a sure thing, but another high probability is that a significant percentage of future IoT devices will be, as today’s are, riddled with vulnerabilities that cyber criminals will seek to exploit.
Zach Lanier, managing principal, embedded:IoT practice lead at Atredis Partners, notes that the number of entry points for attackers is steadily increasing, “especially where platforms with more ‘moving parts’ are concerned. Consider a home automation platform that has a hub-like device, some cloud service/API (application programming interface), mobile apps, maybe even a web interface, perhaps some configuration or container orchestration on the backend,” he said.
“Any one of these things could have a defect or misconfiguration that affects the platform as a whole. Limiting it to just the device doesn’t capture the whole picture.”
If all this continues on its current trajectory, the future of connected devices will be both a blessing and a curse. They will bring us expanded conveniences, power, knowledge, entertainment and services that seemed unimaginable a generation ago, but those will all come at a price — increased risk to privacy and security, including our own personal health and safety.
That, in fact, is the path we’re on. It was more than two years ago, after all, that Bruce Schneier, public interest technologist, chief of security architecture at Inrupt, and blogger, titled his latest book “Click Here to Kill Everybody,”noting on the book jacket that “a world of ‘smart’ devices means the internet can kill people,” followed by the exhortation, “We need to act NOW.”
It’s two years past NOW, and while there are allegedly rigorous privacy laws and some legislative initiatives to secure the internet (and therefore the IoT), there has been no security and privacy revolution.
Awareness isn’t enough
The current path is not the inevitable future path, of course. While there is no such thing as perfect security, connected devices don’t have to be riddled with vulnerabilities. There are ways to make those devices more resilient and resistant to hackers.
And the ways to do that are not on some wish list for the future. They’re available now. There are multiple tools to “build security in” to software as it’s being developed, so that by the time a device reaches the market, it’s not an easy target for cyber criminals.
But it will probably take a combination of market pressure and government intervention to make the security of IoT devices as much of a priority as features and price.
Awareness of that need is one of the goals of NCSAM, an initiative of the federal Cybersecurity & Infrastructure Security Agency (CISA), within the Department of Homeland Security. Now in its 17th year NCSAM 2020’s overall theme is “Do your part. #BeCyberSmart.”
But if awareness was all it took, the problem would mostly be solved. It’s hard to get through a week without a headline or breathless TV news report about yet another hacking incident in which attackers exploited IoT devices to spy on victims, steal their identity, hold them or their organization up for ransom, or something worse.
And Lanier points out that there are numerous initiatives “such as the ioXt Alliance, Cloud Security Alliance’s IoT Security Working Group, Cyber-ITL, and NIST’s (National Institute of Standards and Technology) publications around IoT, just to name a few, that offer research and guidance about IoT security.”
Why hasn’t that awareness led to massive improvements in IoT security, or at least consumer demand for it? Perhaps in part because it’s like ongoing reports of traffic accidents, muggings, murders and mishaps. It becomes white noise. Everybody knows the risk is there but figures it won’t happen to them, and if it does it’s just fate, not carelessness, ignorance or a failure to build security into devices.
Another reason is that many connected devices are new to the online world. A decade ago most people didn’t even think of a toaster or refrigerator being online. Neither did manufacturers. Which means they are being made by companies with deep expertise in hardware, but not so much in software. And they have a lifespan of 10 years or more — eons in the world of information technology and in the evolution of online threats.
Tim Mackey, senior security strategist within the Synopsys Cybersecurity Research Center (CyRC), said there are several levels of security missing in the manufacture of many IoT devices, including building in the capability to update and patch software against newly discovered vulnerabilities or threats.
“Device manufacturers really need to understand the types of threats that come from software,” he said. “There are things like the life cycle of the device being much longer then the life cycle of a piece of software. You are not going to have a development team that is going to be on staff for 10 years that will continue to know all the attributes of the specific codebase.”
“Understanding these types of threats is a learned discipline, which means that manufacturers of IoT devices should really be investing upfront in the designs of their systems to mitigate those risks,” he said.
Another digital divide
But even if device security does improve, that won’t necessarily make the IoT world more utopia than dystopia, at least for the masses.
Sammy Migues, principal scientist at Synopsys, thinks security will get better, but mostly because the companies that make money from data collection have a huge incentive to protect that data so nobody else gets to profit from it. Ultimately, that kind of better security won’t benefit the masses, he said.
“It will be a utopia for those who make money off the data but a dystopia for those who are the data,” he said. “The business incentive is to make smart everything. The people who own these things are not going to put up with crappy stuff, so that will drive the market toward security, but not privacy.”
Indeed, Migues sees the IoT world moving in the direction of the movie “Minority Report” that, all the way back in the pre-smartphone era of 2002, predicted a world where data collection enabled police to arrest “murderers” before they could commit the crime.
Although that scenario isn’t reality yet, current surveillance and data collection capabilities make it much less sci-fi than in the past.
“If you were born in 1900, you could move a couple of states away and become a new person,” he said. “Today that’s not possible. I can take an eye print from a camera. I can see how you type from your keyboard. Facial recognition is already being used. You can’t not be you.”
Indeed, just this past week word leaked that Google is experimenting with having its Nest Hub Max respond to commands without the user saying the “Hey Google” hotword first. The idea it is that it would begin to respond after “detecting presence.” And, of course, that means it would be listening to, collecting and uploading everything being said in the house.
“If we don’t do something about this, I don’t know what it will be like, especially when 5G (the next generation standard for broadband cellular networks) really gets here,” Migues said. ”Everything, including your bed, will have a smart chip in it.”
That means the data collected from all those chips could build a profile of you with limitless detail, including where your car is and when, and which lights are turned on when in your house. Devices like your exercise equipment will know if you have a preexisting medical condition. As experts have noted, plenty of this is already happening.
“Everything will tattle on you,” Migues said. “Which means it could change what it means to face your accuser. We already have red light cameras. Does that mean a machine can be your accuser?”
Supposedly, privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the U.S. are designed to mitigate this sort of invasive data collection. But so far, tech giants like Google, Facebook and Twitter, which make their money collecting and “sharing” (selling) user data, don’t seem to be suffering financially.
The current direction of the IoT could also mean that consumers won’t truly own anything anymore, since they won’t be allowed to fix it for fear of violating proprietary technology protected by the Digital Millennium Copyright Act(DMCA).
Midwest farmers are right now fighting corporate behemoth John Deere over the right to repair the tractors they spent $800,000 to buy. In Massachusetts, independent auto repair shops are battling auto manufacturers over getting access to the data needed to fix a car.
“Does that mean I won’t be able to fix the lock on my door? I’ll have to call somebody authorized by the manufacturer?” Migues wondered.
And what happens if everything in the house, or at the office, is internet-enabled and goes down due to a cyberattack or a fire up the street? “What if little Johnny’s insulin is in the refrigerator and you can’t get into it?” he said. “It’s almost impossible to imagine all the things that can go sideways.”
Window of opportunity closing
Is all this inevitable? Perhaps not. But the window of opportunity may be closing.
Lanier said data collection “is, can, and will increase, but there is a bit more awareness and scrutiny about what and how data are being collected and used.”
“That said, the danger there, as we’ve seen in other realms of technology, is people becoming complacent,” he said. “Sleepwalking into a situation where we are OK with unfettered access to every bit of minutiae about our lives, all because we want the next neat gadget, is an ever-present risk.”
Migues said one encouraging trend he has seen is increasing interest by some in the tech industry in open source software rather than proprietary code, where one has to trust that there aren’t hidden components designed to benefit the seller of that code, to the detriment of the buyer or the user of a product built with it.
“We have a chance to do some stuff with open source products that are trustable, examinable, and transparent,” he said. “The chance still exists to start companies that operate on those principles.”
“There’s no reason 10 people can’t start a company that builds open source pacemakers or cars. They won’t have big resources at the start, but they could form coops.”
Of course, that also depends on the market. Consumers have to be concerned enough about their privacy and security to jump from familiar brands to upstarts that promise to be much less invasive but, at least at the start, won’t have the infrastructure to deliver the kinds of services the established companies do.
“I don’t know how much time we have,” Migues said. “Maybe one more generation.”