Alasdair Allan is waiting for the first murder by the Internet of Things.
The British polymath started his career researching high-energy physics, but gradually drifted towards playing with the toys, and became a pioneer in machine learning, big data, mobile systems, mesh networks, and more. Years ago, along with Pete Warden, he launched a global privacy debate and Congressional inquiry by revealing that your iPhone was recording your location all the time; he’s also built the network of telescopes that saw the most distant object in the sky.
Today, he spends a lot of his time thinking about the many devices around us, and how they can be messed with for fun, profit, or just plain mischief. Alasdair’s coming to Pandemon.io to brief us on the next chapter of the IOT (and you should join him!) But before that, here’s a taste of what he’s thinking about security, privacy indifference, and what makes systems unsafe.
Pandemonio: The average home has 13 IP addresses, and counting. How will we protect ourselves when these aren’t properly secured?
AA: You can’t, we have to change how we approach building out connected devices. Right now there are three big problems with the Internet of Things; security, refresh cycle, and standards. We only ever seem to discuss security when we’re talking about standards, and we don’t discuss the refresh cycle at all, not even when we’re talking about standards.
The whole purpose of security is to protect people, not computers, and right now we’re failing to do that. We’re not protecting people, and while the concepts of maldata and data spam aren’t in wide circulation yet, they will be. For instance feeding false data to your neighbours’ soil sensors could lead them to under or over water their crops, which means your own crop might sell at a higher price. This is where blockchain like concepts of data immutability might well come in handy for the internet of things, we may even have to start thinking about architectures where the actors aren’t necessarily trusted.
P A few years ago, phones tracking our location seemed scandalous. Now it’s expected. Are we just getting comfortable with the idea that privacy is a lie?
AA: More than a few years ago now Mark Zuckerberg famously stated that privacy should no longer be considered a “a social norm.” Zuckerberg was right, at least at the time. But I think there’s a serious privacy backlash coming, I really don’t think the current age — where privacy can no longer be assumed, that it’s not the social norm — will survive the coming of the Internet of Things. As Cory Doctorow recently said, “We have reached peak indifference to surveillance.”
It’s going to be a different matter altogether when your things tattle on you behind your back. When your thermostat is telling people when you’re not at home. It’s going to be different after the first big privacy breach, the first time someone’s thermostat, or light bulbs, is compromised. Or worse yet, the first time your thermostat is hacked to blow up your boiler. After the first murder by Internet of Things. Privacy, security, starts to matter when the data has real physical implications to the end user.
P How do you make a mesh of dumb, cheap sensors reliable?
AA:You don’t, but you also don’t have to. General use micro-controllers with onboard Wi-Fi can now be found for less than two dollars, whilst a single-board computer can be picked up for only a few dollars more. That’s something that seems almost inconceivable, even to those of us that have grown up with Moore’s Law. Because after fifty years of Moore’s Law, we’re getting to a place where computing is not just cheap, it’s essentially free.
As Brian Jepson put it, “This is inexpensive enough to be very much in the territory of ‘thousands of sensors-launched-out-of-a-cannon’-cheap.” The beauty of capable computing, computing that is good enough, and cheap enough, is that it can be used in ways that expensive computing can’t. Cheap, capable, computing will enable a host of uses that were never possible before. After all, if your computing is cheap enough to throw away, what is it that you will be able to do tomorrow that you couldn’t do yesterday?
P When you’re looking for the vulnerabilities of a system, where do you start?
AA:In the past a great deal of computer security, has assumed that the end user will have no physical access to the computer. That if an attacker has physical access, then there is no way to stop them compromising what security does exist. But the whole point of the Internet of Things is that they’re physical things. So physical access to Internet of Things devices is a real problem, and for hackers, a real opportunity. I’d start there.
One of the real worries is the headlong rush towards connecting industrial systems to the Internet of Things. While the Internet of Things has its roots in the web architectures of the dotcom era, the Industrial internet has its roots in the SCADA systems of the early sixties, and the minimal security that’s being thrown over the legacy SCADA systems before they’re exposed to public networks is, often times, laughable.
P You’ve built big, networked systems. When do these systems stop behaving predictably and turn into something “organic”? Does the management approach change?
AA:In an interconnected world it’s hard to predict the effects of one system on another, and over the next decade or two we can, perhaps, expect to see general purpose computing, sensors, and wireless networking, bundled up in millimeter-scale sensor motes that can drift in the air currents around us.
If we think ahead to the time when everything is smart, and everything is networked, when computing has diffused out into our environment, the phrase data exhaust will be not longer a figure of speech but a literal statement. Your data will exist in a halo of devices surrounding you, tasked to provide you with sensor and computing support as you walk along. Calculating constantly, consulting with each other, predicting, anticipating your needs. You’ll be surrounded by a web of distributed sensors, computing, and data. The dust around us will soon become smart.
The real question then is who will have access to the sensors, the computing power, and to the data that they generate. Whether the architectures for the smart dust networks will be peer-to-peer and make that computing power and sensing available to individuals, or whether the network architectures will centralize command-and-control into a few hands.
Join Alasdair and dozens of other leading thinkers and entrepreneurs who are building, and chronicling, the future. From connecting the world, to getting presidents elected, to transforming logistics, to inventing the underlying protocols of the modern Internet, each has been carefully chosen to shed light on a facet of today’s unavoidable digital disruption. Tickets are available now.