We Can’t Let Our Toasters Become Smarter Than We Are
On the promises and perils of the Internet of Things.
So much is already so smart. Today, if you were so inclined, you could buy smart bread makers that let you remotely check the status of your bread. Or a smart thermostat that would learn your family’s behaviors and intelligently manage the temperature of your home. You could even purchase smart toys that listen to what your children are saying and respond.
But in the not too distant future, everything will be this smart, and everything this smart will be connected. This Internet of Things (IoT) represents the third wave of computing. The first wave focused on computation — making the basics of computing work. The second wave centered on networking — connecting all of these computers together in a global network. The third wave, of which we are in the early stages, aims to make computers part of the physical world in which we live. Computation, communication, and sensation are being woven into everyday objects, all of which contain, and indeed are, computers.
IoT offers tremendous potential to society in a wide array of fields. Consider the case of health care: in the early 20th century, the primary global-health issue was controlling infectious diseases like tuberculosis and diphtheria. Now, in the early 21st century, people in developed countries need to manage chronic conditions like heart disease and diabetes, which require sustained changes in people’s behaviors in terms of diet, exercise, and medication. The World Health Organization estimates that 60 percent of all deaths worldwide are now due to chronic conditions. IoT systems can offer meaningful interventions here by helping people achieve desired changes. The combination of smartphones, wearable devices, and new kinds of home monitoring systems make it possible to accurately track a person’s sleep patterns, physical activities, food intake, and medication. This information might be used by individuals to understand their own patterns, as well as by doctors and health coaches to offer personalized interventions that are just within a person’s grasp. But with great potential benefit comes great potential peril, and we need to ensure that IoT systems are built with security and safety in mind.
What Makes Security for IoT Different?
Security for IoT shares much in common with today’s security concerns for desktop computers, cloud computing, and enterprise systems. But one difference lies in the many ways in which these problems will be exacerbated by IoT. For example, ransomware, in which an attacker holds your data or your computer systems hostage, takes on new meaning if the attacker can take control of parts of your smart home or the autonomous vehicle you are in. Spyware will also be much harder to detect, since it might be in any of the devices you use.
IoT also poses some challenges for security that are unlike that which we have encountered in earlier waves of computing. The most obvious challenge is scale. Soon there will be hundreds of networked devices per person. And while it is relatively easy to configure a security policy for a single device, the same cannot be said for securing hundreds of devices, each of which might have a different user interface.
A second major challenge is the diversity of IoT devices. Some devices, such as tablets and glasses, will have a great deal of computational power and can run security software. The vast majority of devices, however, will be low-end systems and cannot use conventional security software.
A third major challenge is managing security in the face of emergent behaviors, which are unexpected behaviors that arise due to complex interactions between devices. A friend told me that a person once annoyed a bunch of people wearing Google Glass by shouting out “OK Glass, take a picture,” causing everyone’s wearable to take a picture. That is a trivial example. But what if the same logic were used by an attacker who has found a software vulnerability in a smart toaster and causes it to burn some toast? The networked smoke detector sets off an alert and automatically opens up the windows, allowing a thief to easily enter. This is a contrived scenario, but it demonstrates the challenges of understanding the overall safety and security properties of a system when it is comprised of parts that were not explicitly designed to work with one another.
A fourth and final challenge is that most IoT manufacturers have little experience with cybersecurity. Traditional software companies that are also looking to develop IoT hardware already understand the need for good security practices. However, many hardware manufacturers — which include makers of automobiles, household appliances, toys, lighting, medical equipment, and more — often do not yet realize that they also need to be software companies. This means having employees who understand good software engineering processes, using tools for developing and testing secure software, knowing how to create and distribute software patches, and having experience in best practices and in avoiding common mistakes. But that is exactly what they need to be and do.
A Path Forward to a Secure Internet of Things
...
https://psmag.com/we-cant-let-our-toast ... .wok2rgw0k