How Do We Put Locks on the Internet?
Posted by JR Reagan on December 5, 2013
|Follow JR @IdeaXplorer||Connect with JR|
In the physical world, keeping valuables safe used to be a relatively straightforward process. Important papers and priceless objects went into locked files, a safe, or a safe-deposit box at a local bank. Deadbolts and security systems protected homes, just as locks and ear-piercing alarms ensured that our cars would remain where we parked them the night before. To guarantee personal health and safety, people with chronic and life-threatening conditions were carefully monitored by frequent trips to their doctors’ offices, and those finding themselves in sudden danger phoned 9-1-1 for swift assistance.
But now our physical world isn’t merely physical anymore. We reside in an Internet of Things, where our cars and homes and many of the things inside them – indeed, even objects inside some of us – are connected through wireless networks or transmit information via embedded devices.
This Internet of Things already has a vast population…and it’s growing at an almost unfathomable rate. In 2008, the number of things connected to the Internet exceeded the number of people on Earth. According to this article, it is proposed that by 2020 there will be 50 billion Internet-enabled devices. Others predict an even more rapid growth rate, putting the number at one trillion devices by 2015 (that’s just two years away!).
Convenient, but vulnerable
Life in this Internet of Things is more convenient, efficient, and some would say even more fun than it was before nearly everything was connected.
We can start our cars and heat up their interiors on snowy days as we finish our morning cups of coffee. Navigation systems get us to our destinations on time, and our cars can even recommend nearby restaurants if we’re hungry while on the road. With smartphones and other Internet-enabled devices, we can keep an eye on the kids, change the thermostat, turn the sprinklers on to water the lawn, or play games with people on the other side of the world. Patients with heart conditions or diabetes can receive treatment from their physicians through wireless, embedded devices, which save countless trips to doctors’ offices, and improve and—in some cases—save lives.
It’s a great place to live, this Internet of Things. But unlike our physical houses and automobiles, which were built with safety as a key feature, not all the devices we use today had security factored into their design processes. This doesn’t mean their manufacturers were careless – it simply indicates that there are new security concerns, many of which would have been hard to imagine just a few years ago.
But now, under the scrutiny of security professionals and other watchdogs, manufacturers and governments are stepping up to identify the vulnerabilities inherent in the Internet of Things, and propose some much-needed fixes.
A Google researcher involved with Internet security and privacy reported in January that 18.4% of Internet users in the U.S. had had at least one online account compromised. We’re all too familiar with tales of such breaches.
What many of us aren’t as aware of are the new vulnerabilities introduced by the Internet of Things. It’s a brave new world, one still in its infancy…and security experts are warning that now is time to identify susceptible areas and construct defense systems. The loudest alarms are being raised about devices that could have life-threatening consequences if compromised.
The Center for Automotive Embedded Systems Security (CAESS) has identified a number of vulnerabilities in cars. A collaboration between UC San Diego and the University of Washington, CAESS’s mission is “to help ensure the security, privacy, and safety of future automotive embedded systems.” In its most recent study, CAESS found that autos could be compromised through their CD players, Bluetooth, FM radios, cellular connections, wireless tire pressure sensors, mechanic’s diagnostic tools, and other entry points.From a laptop, the organization was even able to control, in some ways, a moving car.
CAESS states, “We argue that now is the right time for the full range of stakeholders – including not only car manufacturers, parts suppliers and technology providers, but also government regulatory bodies, the insurance industry, computer security and privacy researchers, and public interest groups – to focus on these issues together and ensure that our automobiles remain secure in spite of their technological transformation.”
Like cars, embedded medical devices have become far more complex in recent years, and many now rely on wireless technology to communicate vital information and dispense treatments. In August 2012, the GAO released the findings from its study of the information security risks associated with them.
“Although the risks resulting from unintentional threats have long been known, information security risks resulting from intentional threats have only recently been confirmed,” explains the GAO as the rationale behind its study. It recommends that the FDA develop an extensive plan that addresses four specific areas of concern. In the comments section of the report, the Department of Health and Human Services added that the FDA has already begun to do so, noting that it “is establishing collaborative relationships with DHS, NIST (National Institute of Standards and Technology), and the Department of Defense, and is engaging other stakeholders to consider the potential applicability of standards from other sectors, such as industrial control, to medical devices.”
The Federal Trade Commission (FTC) isn’t far behind in trying to identify and remain ahead of new threats. In an April 2013 press release, the FTC issued an open invitation to the public to comment on the “consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices” in preparation for an open workshop that was held in November 2013 in Washington, DC.
Who’s the sheriff when there is no town?
The Internet of Things – a massive population of devices that spans the globe – has no borders, and at this date, its governance falls within hundreds, if not thousands of jurisdictions.
If someone stole your car, you’d report it to the police. They’d collect evidence and try to track down the perpetrator. But what if someone hacked your car? You’d probably still call the police. And if your local police department happened to have skilled cyber-detectives, they might be able to identify who was behind the hack…but good luck prosecuting the criminals if they’re located half a world away, in a jurisdiction that doesn’t want to cooperate.
Nearly every nation is still wrestling to keep apace with the complexities of cyber threats from traditional Internet sources. How will they police the Internet of Things? In January, Wired seemed to suggest that it’s not possible. “Even the European Union Commission, with its strong track record on privacy issues, acknowledged that its well-regarded Data Protection Directive law would be unable to cope with the Internet of Things.”
So if the laws and those appointed to enforce them can’t guarantee security in an Internet of Things, what will? Could new technology, driven by user needs and developed by innovative thinkers who see this as a vast, untapped market, come up with solutions? Perhaps in the not-too-distant future, you’ll trade in your car keys for an iris scanner, or say goodbye to passwords and hello to a fingerprint scanner.