Internet of Things security concerns

The latest buzzword for the naturally increasing connectivity of today's electronic devices, the Internet of Things (IoT), postulates an "always on" interconnected communication future. In the U.S. today there are more IoT devices than people, more than 100 million more, in fact! With so much focus on what's right about this approach, it would be foolish to ignore what could go very, very wrong.

Applications span from those where Internet connectivity is an obvious step with an equally obvious benefit, such as a smart TV that streams content on-demand or a remote device that controls central heating, to more visionary applications, such as intelligent refrigerators or Internet-enabled pacemakers that enable hospitals to monitor outpatients without physical attendance.

By placing increasing trust in machines, especially those interacting with each other, the consequences of exploitation rise substantially. Computer viruses have for years varied in destructivity, from rendering a home desktop PC unusable to temporarily bringing down entire financial systems; but with the IoT we are handing technology the power to cause much more damage – systemic and even physical.

There are two layers to the security concern. First is the ability for unscrupulous code to gain control and negatively affect operation. The device itself is unlikely to have a sophisticated encryption capability, or perhaps it does but isn't enabled by default – wireless-enabled printers, whilst supporting WPA encryption, are almost exclusively left unprotected by slothful consumers. In apartment blocks, increasingly unprotected wireless printers are "hacked" to send amusing images to their unwitting owners, though of course this is but the most minor example of a potential IoT security lapse.

The second layer is the "trusty" wireless router, which is effectively directly connected to any local IoT device and is famous for its pervious security. Firmware updates are designed to patch security vulnerabilities, but manufacturers have little financial incentive to provide this ongoing service without a workable funded security upgrade model. Where benevolent manufacturers do oblige, it's rare these can be pushed and rely on a consumer checking a website speculatively for updates. If no ill effects have been noted, why would they? If it's been compromised – it's probably too late!

The ramifications of such device exploitations can quickly become devastating in critical embedded systems, though I hope the severity of these realizations will push the industry to address this critical issue.

Recently in the UK a BBC news article brought widespread guffawing with the headline "Fridge sends spam e-mails" (pun intended), but it has usefully raised awareness. The spam advertiser is perhaps the most obvious antagonist, looking to hijack any available medium as a proxy to spam e-mail accounts – or perhaps even directly, an Internet-enabled e-whiteboard would be the ideal place to force perhaps illicit advertising 24/7 in a family home.

Internet-enabled home automation, particularly involving access control and CCTV, would be hugely attractive for perhaps more traditional criminality, with a new "smart" edge. Even without a specific security setup, the integrated webcam increasingly found in smart televisions would be very interesting viewing to a whole host of candidates.

An additional angle bandied about is the potential for governmental exploitation: Another recent UK press article reports the app game Angry Birds has been exploited by UK and U.S. security agencies to gain personal information. Intriguingly, sales of Nineteen Eighty-Four, the Orwellian social dystopian vision soared 7,000 percent following the 2013 mass surveillance leaks.

I wonder if a progressively paranoid public will take increasing interest in the potential of IoT devices to enable authoritarian privacy invasions, perhaps by the previously mentioned smart TV or smart glasses, enabling a live view into an individual's life.

Whilst unlikely in the Western world, historically less democratic governments have taken a very keen interest in what literature its citizens are reading. Already Internet-enabled, could a compromised e-book reveal anti-government reading habits that land you in very hot water? Could your monitored smartphone betraying your location at an undesirable event via GPS risk similar?

Perhaps I'm getting a little ahead of myself, or maybe these are concerns for other countries, not ours. What is true today is the entire chain of devices must be secure, and it is the manufacturer's ongoing responsibility to ensure that is so.