I’m just off to reboot my smart toilet
A certain pop star had a husband who was, as is so often the case, inappropriately intimate with the family’s hired help. He recorded some of his below stairs adventures on his iPhone, no doubt to act as a comfort in his later years. Unfortunately, he’d either forgotten about iCloud or couldn’t work out how to configure it correctly (as I can’t) with the dramatic consequence that the screen saver on his wife’s iPad was transformed from a selection of treasured family snapshots into a flick book version of Pornhub.
Connecting everything on the Internet has unexpected consequences and they are getting worse. With the Economic Times estimating that there are already some 50 connected devices per household, we have a problem that is spiralling out of control.
A generation on from the famous “on the Internet nobody knows you’re a dog” cartoon that became a staple of management consultants’ presentations ever after, the situation is now far worse. On the Internet now, no-one knows you’re a toaster either. Or, for that matter, a toaster pretending to be a dog intent on bringing down our online economy. If the Internet of Things (IoT) really is going to be a platform for embedded financial services, then it will need a serious security makeover.
Adding mass market, inexpensive and insecure devices to a global network is taking us into uncharted territory when it comes to risk. I recall that, following the last massive Internet outage caused by a “botnet”, a number of commentators remarked how odd it is that a network designed to withstand nuclear war could be disrupted so badly by toasters, nanny cams and video recorders. And that seems a fair, and rather damming, point to make about the nature of our infrastructure.
If you’re wondering, by the way, a botnet is a collection of devices (computers, toasters, cameras and anything else that can reached through the interweb tubes) that have fallen under the control of some third party and can then be used in a massed and concerted fashion either for good (e.g., searching for radio signals that might indicate extraterrestrial life) or evil (e.g., overloading bank web sites so that customers can’t get through). Just to indicate the scale, a botnet “denial of service” attack against a European bank last month managed to marshall enough devices to hit the bank’s web site with 800 million requests per second, overwhelming its defences and making it impossible for the bank’s customers to access their accounts.
This does not look good for the future. Sooner or later a cyberspace Covid 3.0 will come along and then we are really in trouble. There’s no possibility of social distancing online because we’ve gone beserk connecting things up but we’ve overlooked how to disconnect them. Or, in bumper sticker form for the modern electorate, I might be tempted to paraphrase that doors are easy, locks are hard.
Anyone can connect their kettle, car or children to the Internet. And it’s tempting to do it just because it can be done. But keeping them secure? That’s another and altogether more difficult problem. If we are going to make an the IoT a platform for financial services, if we have a vision of luggage that can sort out least-cost routing and lightbulbs that can trade energy derivatives and cars that can buy their own insurance then we’re going to have to pause for breath and rethink the platform, because that botnet is only the beginning.
(Actually, the toaster botnet mentioned above is, in its way, admirable. It involves the use of malicious software that wanders the highways and byways of the internet looking for devices that have been connected but do not have security defences in place. As it happens, this turns to be almost all of them. Either the password has been set to “password” or some other easily remembered — and therefore easily guessed — word, or there’s no password at all, or there’s a bug in the software that can be exploited.)
This latter category is especially vexing. Suppose it turns out that my smart toilet (these do exist by the way – I have photographic evidence) has been shipped from Korea with an old version of software that the hackers can easily exploit. Now my toilet is going to need patching and then upgrading. But supposing the facilities to patch and upgrade my toilet do exist (“do not flush – upgrade in progress – download complete in 22 minutes”), how will the manufacturers persuade me to do this? What if the manufacturers have gone out of business? What if the upgrade is itself a trick designed to subvert my toilet for the amusement or profit of Eastern European hackers?
Leaving it up to consumers will not work. We cannot trust the populace to configure their smart device firewalls any more than we can we trust pop stars to configure their iClouds, so selling toasters that can be hacked (even if it is by the CIA) ought become as unthinkable as selling cars without seatbelts.
The noted security expert Bruce Schneier (one of the key thinkers in this space) has rather eloquently likened IoT’s market failure (which is that I don’t care that my toaster is insecure and is bringing down your bank, and neither does the manufacturer – it’s cheap and it works) to a kind of post-industrial pollution. It’s an externality that can only be fixed by society as a whole and, as unfashionable as that might be, that means regulation. It’s time to begin a conversation about what that regulation might be, before it’s too late. California’s SB-327 that requires manufacturers to set different passwords for devices is a good example of what’s needed, but it’s only a start. As the Business Software Alliance’s useful principles for “Building a Secure and Trustworthy IoT” say, security policies should “incentivise” security through the IoT life cycle. That means a different mindset and its a mindset that sees the need for an infrastructure.
There is no doubt in my mind that we should prioritise innovation and experiment here because the truth is that just as financial services need identity infrastructures for people (IDs), so next-generation financial services will need identity infrastructures for IoTs (IDIoTs).
Let’s start looking for the IDIoTs right away.