Had the recently departed filmmaker Wes Craven lived just a few years longer, the Internet of Things (IoT) might have provided him with the perfect fodder for one of his horror classics. After all, it has all the the potential to be the stuff that nightmares – or an episode of Phineas and Ferb – are made of.
Imagine smart, interconnected devices – from toasters and refridgerators to cars, planes and baby monitors – rising up during the night and revolting against their owners or society at large, spilling secrets and wreaking havoc. Kind of like Night at the Museum…except with malevolent electronic devices.
OK, that's a little dramatic, no?
In reality, smart devices on the whole haven't fallen under the sway of an evil nemesis, just a stray crook or two and a host of security researchers eager to expose and fix vulnerabilities. But while these devices haven't yet been marshaled to attack or serve as ever-present sentries in some sort of post-apocalyptic world, the IoT is poised to cause some security nightmares.
OUR EXPERTS: IoT
Larry Clinton, president and CEO, Internet Security Alliance
Stephen Durbin, managing director, Information Security Forum
Malcolm Harkins, CISO, Cylance
J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals
John Johnson,security industry executive
Sarah Lahav, CEO, SysAid Technologies
Shankar Somasundaram, senior director, IoT, Symantec
Craig Spiezle, executive director and president, Online Trust Alliance (OTA)
Mark Stanislav, senior security consultant, global services, Rapid7
Hilary Wandall, associate vice president, compliance and chief privacy officer, Merck & Co.
Ken Westin, security analyst, Tripwire
“There's a lot of malice and a lot of devices all around us and people doing bad things, dangerous things,” says John D. Johnson, a global security professional, noting that, for example, commandeering a pin sweep on a factory floor and causing the laser cutter to rotate 180 degrees could have dire consequences. So could tinkering with smart refrigerators – on a large scale – to ensure food spoils. In the shared waters of the internet with high-functioning devices, “we're operating in an unsafe environment,” says Johnson.
Adds Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), “in some ways it's the sleeping giant in the room that we can't ignore.”
No doubt, the much-anticipated IoT will bring much good to the world, facilitating the smooth flow of information – making us more productive by providing services and capabilities that we need (the fridge orders more milk, the toaster alerts to shorts and heads off potential fire, you can find almost anything by clicking on an app in your smartphone). And, in what could be a scene from your favorite sci-fi flick, Kaspersky Labs just embedded a chip in an employee volunteer.
Johnson himself is an advocate for the IoT – noting the quality of life, user experience, innovation and efficiencies it brings – and has worked tirelessly to bring security concerns about the IoT to the forefront where they can be dealt with and hopefully vanquished. The security executive, who sits on the Black Hat Executive Committee board and is leading the IoT track at the Global CISO Summit, contends the challenge of IoT “is a problem we can solve” with some thought, innovation and consensus.
Too big to secure?
But the security industry – as well as manufacturers, enterprise security pros and consumers – must work fast. The IoT, which seemed like a distant promise just a couple of years ago, is on the cusp of great growth. The number of devices is clearly exploding. Last November, Gartner predicted “that 4.9 billion connected things will be in use in 2015,” a 30 percent increase from the year before, and likely to grow to 25 billion by 2020.
“The good news is there is a lot of opportunity to secure IoT,” says Shankar Somasundaram, senior director, IoT, at security firm Symantec, which says it is now protecting more than one billion IoT devices. “The bad news: We've got to move now.”
We increasingly live in a more interconnected world, where smartphones, wearables and other devices have created “a complex ecosystem,” says Hilary Wandall, associate vice president, compliance and chief privacy officer of Merck & Co., a global health care company that operates in more than 140 countries. And Larry Clinton, president and CEO of the Internet Security Alliance (ISA), a trade association that seeks to combine advanced technology with economics and public policy, says, “A first grader can easily access things from all over the world.”
That level of connectivity certainly makes life much easier and gives a much-needed boost to productivity (information is at your fingertips in a couple of clicks), quality of life (workers can do their jobs at any time from anywhere) and efficiency (need to find a freight company that will haul your piano? There's an app for that!).
But all that connectivity and intelligence come with a price: The simplest device, a lowly toaster, for example, can become an entry point for an industrious hacker to use shared network resources in the benign environment of a home to access corporate assets that the homeowner taps into.