When I first heard the term IoT I had no idea what it was and what it meant. Obviously it was made completely clear when I was told what it stood for…
The Internet of Things! Oh! That! The Internet… got it… Of… no problem… Things… nope you lost me.
How long did it take, and who came up with that catch phrase. And why on earth did it stick? Internet of Stuff would have been IOS and we can’t have Apple breathing down our necks. Internet of Devices? What stopped us there? The Institute of Directors perhaps? Those biz savvy suits play hardball about being top dog on the google search so we couldn’t usurp that acronym. So here we are with IoT.
Regardless of how we got here… IoT is a buzzword/acronym/TLA (three letter acronym)/phrase which only through the atrition of use is starting to become somewhat understood.
Defering to wikipedia (give that guy some money) it’s defined as: “The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to connect and exchange data.”
It’s that last bit… the “network connectivity” that is the critical new element that creates IoT. We’ve had the “physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators”…and of course the machine that goes “ping!” for a while now in the form of TVs, toasters, baby monitors, lawn mowers, ovens, heart monitors and teddy bears. Yes Teddy Bears. I’m thinking of that old scary Teddy Ruxpin thing from the 80s. It haunts me in my nightmares.
At some point, a bright spark in the world of tech “things” decided a strong USP would be to connect this stuff to the internet so we can communicate to it! Or control it! Or watch it! That was clearly at a point where “This would be AWESOME” was the mandate of Product Development. This was also the mandate of Skynet when they made the first self-aware cyborg that went back in time to destroy us all.
I recently compared the current high speed growth of the IoT industry to the street I live on. I live on a residential farm road just a few 100 meters from a more populated part of the city. As a result of not being directly in the city, the speed limit changes from 30mph to, the symbol for national speed limit. Motorists in the UK at least, take to mean, as fast as humanly possible and with reckless abandon.
Really though, there are real game changing advantages to what “connected” devices have accomplished and will accomplish. Taking the medical industry as a just one example, gone are the days of cumbersome insulin pumps and here at the days of a connected device automating blood glucose, and insulin administration, and providing remote real-time monitoring for patients and physicians. That’s just that start, internet connected video baby monitors are now allowing for parents to head out and paint the town red leaving their young children home alone, safe in the knowledge that if there’s a decent signal they can check in straight from the dance floor… along with everybody else! And there is our first example of how it can backfire… I’m talking about other people snooping in on your children, not the party hardy parents.
I’ll try to dive into why IoT is, as big a problem, as it is an amazing concept.
From the fridge that orders you more milk when you’re running low, to the aforementioned baby monitor (or party enabler), to the connected automobile that can provide you with real-time traffic updates, control and service in times of trouble to the connected oven that for some inexplicable reason needs to be at 200degC the moment you get in the door from work because we need chicken wings in 30mins and that oven timer thing was just too difficult to figure out… connectivity is a part of our lives. With great connectivity comes great responsibility.
Most of the software used to create the devices that make up the Internet of Things uses open source software. For the non-geeks listening that is essentially software whose source code is a product of open collaboration and is part of a publicly available software project. Essentially it’s non-commercial software made by geeks for sharing with geeks. I’m one of those geeks. You might be thinking now… why? Why are people doing work… for free and giving software away. Frankly it’s an amazing thing and let’s not question it too hard for this podcast. We’ll do that later. It’s sufficient to say there is a huge amount of open source projects which actually power about 80-90% of the devices that make up the internet of things. Does that shock if not scare you? It should… a little.
There is an almost immeasurable advantage to open source software in that it speeds up time to market, it offers crowd sourced and crowd funded testing and reliability by design and is often a subject to extreme critical thinking before an open source project can become something the community at large deems good enough for use by the software development world.
So there are some of the good things. The bad things… essentially, it comes down to security.
You want that oven to only cook your chicken wings and not your home, your child to only be monitored by it’s parents and not… well anyone else frankly, that insulin pump monitor to only be controlled or monitored by patients and doctors and your internet connected home full of smart light bulbs to just emit light when required and not collaborate with other light bulbs in a hive minded denial of service attack against key corporate targets. “We need to be careful”, is the message there.
Am I making these dangers up? No. One simple example would be the Smart Teddy Bear who’s cloud based storage was hacked into releasing the 2 million parents’ and kids’ voice messages. What was the motivation to hack into that? Another along the same lines was a IoT Barbie doll that could allow hackers to intercept conversations. A more complex example would be the Mirai BotNet. This was a recent (2016) automated bit of malware which targeted vulnerable IoT devices and collaborates with them via a command and control center (go listen to my ransomware podcast) for malicious purposes. In this case they used this acquired network to fire distributed internet traffic at selected targets. It was even smart enough to avoid infecting any devices that might be security or government related allowing it to stay hidden for longer.
You would that if commercially minded organisations decided to use open source for their products they would be really good at making sure they didn’t use the stuff that could be vulnerable in some way right? RIGHT!?
Clearly(?) these devices broaden our lives and offer conveniences never before dreamed of but at what cost? Companies creating them and to a significant extend the software developers within them are not incentivized by ensuring their products are secure but more by time to market and feature richness. Features and novelty result in sales with provides a direct return where as security is often looked at the way we treat… well most aspects of security in our lives. It’ll never happen to us. It’s rare. We take risks often without consideration for what happens if IT does and what are the costs.
I’d just like to add that, creating a secure IoT device isn’t easy! I’ll get a bit geeky on this for a moment. These devices are using a ton of open source software that may or may not be vulnerable to attack. The devices themselves have a large attack surface because they often use technologies like NFC, Bluetooth or WiFi to communicate and very often they use a cloud services (I’ll do a podcast on The Cloud soon) to store and exchange data. Keeping any and all of these different facets of this technology impervious to hackers is not only difficult is bordering on impossible. One of the main reasons I’ve already mentioned is that many product developers is not there yet in terms of being security minded. What makes it even more difficult is that, even a security savvy company can release a product now that is secure, but may not be in 3,6 or 12 months as new developments or vulnerabilities are found. (Hackers don’t rest). A study showed a Smart TV released just 3 years ago with 0 vulnerabilities at that time can have as many as 1000 possible vulnerabilities just a few years later.
creating a secure IoT device isn’t easy!
To the lay person that might sound odd. How can a technology that you don’t touch become vulnerable? If you can imagine, anything that is developed on the cutting edge always seems ok at the time. Take smoking for example. It was marketed as a cure in the early days and I think we all know how that turned out. That is a bit abstract I know. The same goes for software. A complex programmatic solution is designed primarily to solve a problem. It’s very difficult to conceive of every possible abuse case for those intentionally misusing the technology. Try combining that technology with other fresh hardware and software technology into a complex system and you have an almost infinitely compromisable creation. We just don’t know how to do it yet. What inevitably happens with all technologies is that your bad guy hackers start straight away trying to figure out all the cracks in the armour and when they do… they take advantage. The good guys try to keep up to date by finding the problems (or bugs as we call them) first and patching their products but very often, the back guys find the issues first and presto… we have headline news.
You may have heard about a Smart Car technology in a Jeep which was hacked a few years back by some researchers and the hack allowed them a certain amount of remote control over the vehicle. This was a product of years of research and not your typical Hollywood 10 second hack, but nevertheless it was possible using a complex series of minor cascading vulnerabilities in the cars infotainment and control system.
Why do we keep churning out these IoT devices and why do we can customers keep gobbling them up? The latter statement is the reason for the former. If we buy it, companies will make it. Money is the motivation to the companies. Novelty and frankly sometimes just straight up laziness can be the motivator for the users. Us humans sometimes aren’t as smart as we like to thing we are.
But we can fix that! With Technology!
The big trend is that many of these devices are now called “Smart” devices. Smart toaster, smart TV, smart monitor, smart watch! “Smart” is the official word marketing people use to mean “this thing is connected to the internet so by buying it, you’re SMART too!” Boom! Welcome to IoT. “Smart” as a marketing tool or phrase has been around for quite a while. Smart Marketing is a thing, Smart Workplace is that bullsh1t office space ideal where you only have hot desks but everybody sits in the same place every time anyway, apparently reverting naturally back to the Stupid Workplace. There are also SMART Goals for measuring performance. The point being if you want people to feel smart just call your thing the “Smart” thing and people will immediately dive into the sea of irony and use or try it with maximum unquestioning stupidity.
If you do decide to be an early adopter and go full IoT with a Smart Fridge, and Smart Vacuum then the advice from me would be to, find out if the device can update itself to ensure it’s always patched with the most current software. Much like what I said about Ransomware in my previous podcast, it’s good to keep your computers and devices up-to-date at all times, even if it’s a bit of a pain. I know this pain because my Smart TV is always bugging me to update and it takes about 15 minutes. I want to watch my show NOW so I say no and then forget to update it after I’m done. I’m kidding, I set an alarm to update before I go to bed. I’m a security professional so I’ve got to lead by example don’t I.
Still up for going full IoT Smartness? Let’s end this with a few examples of how we can get involved as early adopters in IoT.
From gizmodo’s top 15 IoT items, I’m going to focus on a top 5. I’m also going to reverse the order because I think they got it wrong.
5. The Trakz fitbit type thingy for your DOG!
4. The HidrateSpark glowing Smart Water bottle that tells you when you’re thirsty. Until you leave it at the gym or at the side of a field by accident. I’ll probably come with a locater in the v2 version.
3. The Kerastase Hair Coach! Do you look like a Kardashian? No! It’s because powerful sensors and electronics aren’t “talking to your hair” to tell you how to brush it to make it more luxurious. Idiot… it’s a Smart Brush! Get it.
2. The Smart Egg Minder! It goes in your fridge so you can tell from 3000 miles away if you have enough eggs and whether they are still edible. Yum!
1. This is a joint prize shared between…
The We-Vibe… yes together we can monitor the successes and failures of women (and men) who are enjoying the incalculable and now calculable benefits of a Smart Dildo. Wifi up your body cavities with this essential tech.
The i.Con! Never has a bedroom argument been more one sided than one backed by technology. It’s a Smart Condom that I can only assume gives you feedback on your stellar performance by measuring thrust speed, frequency and of course calories burned. Hey… and guess what… there’s a community you can join to compare notes. (buy yours here https://britishcondoms.uk/icon-smart-condom.html)… this one is British so there’s something that the Brexiters can latch onto and be proud.
This article has been not sponsored by SmartPipe! Flush with POWER!