The Internet of Things (IoT) finds its way into your life slowly at first. An Alexa device in the kitchen is soon accompanied by a connected camera for your doorbell. Before you know it, you’re surrounded by gadgets made cheaply by companies that believe security is, at best, an afterthought.
The IoT is fraught with vulnerability issues, and hackers may enlist these devices as players in malicious botnets. That said, the IoT’s security problems are often overblown in the media. Every new technology has its stumbles, but those mistakes can be corrected.
We spoke with Bruce Schneier of Harvard’s Kennedy School to get a more realistic understanding of the threats the IoT faces. We caught up with him during his recent visit to Indiana University’s Center for Applied Cybersecurity Research (CACR) where he spoke about Securing a World of Physically Capable Computers.
Is IoT security handled differently than other devices?
It's not – it’s just done at a lower price point. Your computers and phones are as secure as they are because there are security and engineering people at Apple, Microsoft, and Google that are doing the best design to keep it secure in the first place and quickly writing and pushing out patches when vulnerabilities are discovered.
Those economics doesn't exist in low-cost embedded systems like DVRs, home routers, whiteboards, toys, appliances – anything. They're often designed offshore by third parties. Teams come together, write the code, and disperse. There aren't people on staff at that whiteboard company to patch the systems.
Even worse, a lot of these systems have no way to patch them. Right now, the way you patch your DVR is you throw it away and buy a new one. You just don't have the same economics that leads you to these well-designed, well-engineered, agile security systems that we have in these high-cost devices like phones and computers.
Is there anything unique about security in the IoT space?
What's changing with the Internet of Things is that computers can affect the world in their direct physical matter, unlike the spreadsheet on your phone, which is about data like your bank account. It could be a lot of important data, but it's just data.
The IoT includes vacuum cleaners, cars, thermostats – the things that actually change the world, things that could kill people in the way a spreadsheet never can.
It is not the internet we're used to. It is not the computer we're used to. We're used to computers that sit quietly and process data. Not ones that could freeze your pipes in a Minnesota winter.
This connects with your concept of the World-Sized Web, where all connected technologies are converging into a sort of robot. In describing this robot, you state that we may need to create a Department of Technology Policy. What would this look like?
These systems are being designed by corporations that are there to turn profits. And there is no other pressure on those systems, so you get systems designed to turn profits. You get no privacy because privacy is antithetical to profits.
We in society have to figure out how tech is fitting in, what the rules are, and what the laws are.
It's kind of like child labor laws. You don't let companies figure out child labor laws. That'd be dumb.
This indicates the possibility of building a regulatory structure. But I am not someone to figure out how to configure a government to regulate this. I gave it a name, and other people are going to be happy to get out there and figure out what it means.
It’s very easy to focus on the negative aspects of any tech trend. But is there anything about the IoT that gives you hope or excites you?
Oh, it's all great. I work in security, so I'm used to looking at the negative effects of all good things, but they're all good things. There's a reason we want all of this great Internet of Things. It's going to be cool. It's going to do good stuff.
Getting it right is important. That doesn't mean saying no to it. It means figuring out how to say yes without sacrificing our ideals as a society.