The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

XIThing blog - The Internet of Things is broken. How to fix it and why we should.

16 November 2015

Hackers can already hijack your car, access your baby monitor, take over your TV, control the lighting in your house, and basically access the vast majority of all current internet-connected objects without permission from the owner. So should we, as McKinsey states, really connect some 30 billion objects  to the ‘Internet of Things’ (IoT) by 2020?

Why in the first place would you want to connect every object in your physical surrounding to the internet? Judging on research by Gartner and McKinsey, who predict that the IoT will add $1.9 trillion to the global economy by 2020, and $2.7-$6.2 trillion by 2025, we really seem to want to do just that. But why? The answer could be as simple as powerful: because it could vastly improve our lives. And sometimes even save it. It can improve our factories, do tedious jobs, entertain us, make us more effective, open up new possibilities, diminish our waste, etcetera.

Although the IoT is still in its infancy, the uptake is undeniable. Michael Porter affirms that the digital capabilities are an increasingly differentiating factor for every object that enters the market. Cars for example differentiate increasingly on software-related capabilities such as onboard entertainment, drive assistance, motor management, personalization of car responsiveness, and park assistance. But also for objects nobody would have dreamt of being connected to the internet, such as light bulbs, doorknobs and mirrors. Where differences in physical properties are diminishing, differences in digital capabilities are increasing. Not always, but often because they genuinely improve the usability and/or utility of the object. And that gives producers of these objects a clear competitive advantage.

As said though, these forces that go towards bringing every object online, and making our lives more and more dependent upon them, do have a downside, because said objects become more vulnerable when digitizing them and connecting them to a network. The OWASP (the Open Web Application Security Project) has a top ten of IoT vulnerabilities:

  1. Insecure Web Interface
  2. Insufficient Authentication/Authorization
  3. Insecure Network Services
  4. Lack of Transport Encryption
  5. Privacy Concerns
  6. Insecure Cloud Interface
  7. Insecure Mobile Interface
  8. Insufficient Security Configurability
  9. Insecure Software/Firmware
  10. Poor Physical Security

In the end every IoT object is vulnerable in some way. But that hasn’t stopped us from bringing more and more objects online. Apparently the (perceived, short term) advantages outweigh the (unperceived, long term) disadvantages.

Unfortunately with such a network increasingly penetrating our physical surrounding the stakes are rising. Although a social network being down is annoying, it is unlikely lives will be lost. And while a bug in an app is unfortunate, it probably won’t have a big impact on your life. But if someone hijacks your car, unlocks your frontdoor, takes over your heart monitor or takes control of the traffic lights in your town, the consequences can be dramatic.

That’s why I find it is arguable that:

“Stakes rise exponentially with the number of objects in the IoT”

So heading into a future with 30 billion objects online (in just 5 years) we should reconsider our situation and make the right choices.

Ideally manufacturers would improve their products and prevent all mentioned security vulnerabilities. But that is an unattainable goal. It is simply impossible due to the complexity of smart, connected products. In addition, keeping objects safe takes constant effort. Bugs are discovered, hackers improve their skills, context changes require the object to change as well, etcetera.

Keeping something safe means someone should feel responsible for it and take care of it. This is probably the biggest reason of most of the vulnerabilities out there: no one feels responsible for the object any longer. Routers should be patched, but the manufacturer is out of business. USB keys should be updated but the owner doesn’t even know that is possible. Car systems should be upgraded but the car is part of a fleet and no one feels responsible to do so. A recent study by IBM shows that the IoT will grow so fast that it will be virtually impossible to properly manage it. It will be simply too much work to take responsibility for all those devices and keeping them safe for the rest of their lives.

So we want an IoT, while the stakes are rising and no one can take responsibility. Although these trends seem at odds, there is actually one way that could work. We have to turn objects into autonomous entities that behave as good network citizens. Objects that are self-responsible, that keep themselves safe and up to date, that can transact autonomously with other objects in the network, that can learn from past experiences. This won’t prevent all vulnerabilities mentioned above, but it will certainly diminish them.

Implementing autonomous, safe and well-behaving IoT objects will require a lot of technology, but we have entered an era where those technologies have been invented and are readily available. Better networking technologies, AI advances, Nakamoto consensus, peer-to-peer technologies, device miniaturization, improvements in computing power, falling costs of computing hardware, and so forth, are just a few examples of prerequisites for a better IoT.

How to apply these technologies to build a better IoT will be discussed in follow-up articles.

Berco Beute @bercobeute XIThing

Continue reading on