This morning while absorbing large amounts of caffeine in a vain attempt to wake from a turkey induced coma, I came across an interesting article over on Tech News World on the Internet of Things. As some of you know, prior to joining the connected world of telecom, I actually spent awhile in the security space. Just long enough to adopt the constant state between paranoia and acceptance of the fact that everything is a security risk, much like my fellow security brethren.
So when I came across this article on the Internet of Things and the wonderful world of security as it relates to this new(ish) trend, it couldn’t help but intrigue me. Because well, whenever society gets a new toy to play with, you know there is a beautiful dark cloud of exploitation just around the corner. The internet of Things is wonderful, and it’s going to be a huge headache for security folks. Welcome to the (Unsecured) Internet of Things.
Working for a telco on the non-security side has been one of the most eye-opening roles I have had in awhile. Not only do I get to see how Canada is starting to embrace newer methodologies like BYOD and telecommunication, but it also lets me see into sides of the tech industry that I normally wouldn’t think about. In particular, what we call Machine to Machine, or M2M.
M2M is a funny and overlooked technology. It consists of connecting devices that you would never consider to be internet enabled. Things like vending machines, digital signage, and coming soon, cars. By embedding connectivity into these devices, much like you would connect a tablet to a 4G network, these devices suddenly have a broader life connected to the internet. This helps enable things like tracking your packages being delivered, or ensuring that stock levels are where they should be. But what happens when you connect a gigantic ball of steel and plastic with 4 wheels hurtling down the highway at 120 KM/h? It might not be pretty.
Don’t get me wrong. I love technology, I also love cars. But should cars really be connected? Yes and no. On the one hand the ability to not have to tether my car to my phone to get internet connectivity is a great incentive. GPS, internet radio and other tools of mass distraction make the idea of connecting a car attractive. After all, the more information that our vehicle can communicate, the more we can benefit. From faster reaction times in avoiding collisions thanks to enhanced sensors, more accurate information on how your car is performing, and of course, the ability to get faster assistance should your car get in an accident or stranded, there are some great benefits to connecting a car. Not to mention all the wonderful applications and entertainment options that this will no doubt inspire.
But like any connected device, there are some significant risks. Let’s face it, it’s one thing to hack into a computer with a traditional OS. At least with a traditional computer, you should hopefully have the ability to secure your data with tools such as encryption, IDS/IPS, and SIEM. But what if there is no traditional OS? What if you are talking directly to an application in a vehicle? What if it’s based on an OS that isn’t enhanced enough in the security department? What happens then?
I’ve never been a fan of fearmongering, but the reality is that M2M is an exploitable technology. The sensors and platforms were never designed (for the most part) to deal with threats seen mostly in the computer world. But they happen. Imagine if you will, the repercussions should someone DDoS a M2M device? It’s one thing if it’s an inventory system, yes, this would have implications when it comes to loss protection and inventory accuracy. But what would happen if this is done to a ball of plastic, glass and steel that is hurtling down the highway? All of a sudden there is a more immediate and potentially hazardous situation. Imagine if it was a self-driving car? How could these vehicles be compromised? How could you recover from a car that has been turned into a bot?
I could talk to hours on this topic, but I really wanted to start the ball rolling when it comes to the industry realizing that as we create more advanced and connected technologies, that unless we are building security into them from the ground up, we simply must have a plan in place to protect these entities. It’s not enough to dismiss them as “well, why would they want to compromise a (insert device here)”? The reality is that people love to tinker, and if there is a potential gain to be had, even more reason.
If you have a few minutes, I really recommend the following article on this fascinating topic. At least it will make you rethink next time you consider the Internet of Things and how it will change how the world communicates and what kind of control is has over our day to day lives.
Insecurity and the Internet of Things, Part 1 can be found at: http://www.technewsworld.com/story/79180.html