The IoT: Time to Get it Right

Somehow the Internet of Things has gone from being a miracle drug for every business, energy, security, transportation, and residential problem to The Plague.

In some dreams, the IoT was the cure-all that would give us everything we wanted to know about a customer based on their shopping pattern, their home activities, and their travels. Those same dreams presented the IoT as the ultimate in an operational efficiency tool for businesses.

Are those dreams dashed now that IoT devices have been blamed for the recent distributed denial of service (DDOS) attack on Internet management company Dyn? That attack brought down a lot of websites, particularly in the eastern United States. Maybe it was a sign of a pending return of the Black Death seven centuries later.

Or maybe the IoT needs be to be judged in the same way that pro athletes are evaluated: Not really as good as they are on their best days, and not as bad as they are on their worst.

We will be looking more closely at the IoT throughout November.

However, the analyses of the Dyn incident raised some points that are important to keep in mind as we go through this first week of November with our All Analytics Academy program Data Privacy for All, for You.

The Internet traffic that overwhelmed Dyn often came from relatively low-cost consumer devices that were easily targeted with the malware that joined the attack. They didn't have what some call "baked-in security," protection designed in from the start. If you entrust your home, your business, even your family to something like a $100 security system, you get what you pay for.

Security company Forescout has an interesting paper that details the vulnerabilities of seven common IoT devices. In most cases the vulnerabilities turn out to be pretty apparent, and could be fixed with a little extra work at the design phase: flaws such as weak or non-existent credentials or a lack of encryption on IP-connected security cameras.

This "baked-in security" goes hand-in-hand with our A2 Academy session scheduled for Thursday, when Greg Reber of AsTech Consulting will present best practices in "baked-in privacy". (The Academy program opens today with a presentation on customer privacy by Sagi Leiserov of Ernst and Young). You see, all of those IoT devices that could be used to launch a DDOS attack also could be feeding your private information to someone with evil intents. That information could be your company secrets, personal data about employees, or the financial data of customers.

Greg Reber

One thing we know about baked-in security or privacy is that it makes sense. It's exactly what we wish the folks at Microsoft had done with Windows many years ago, and what we want from mobile apps, corporate devices, and home automation technologies.

Common sense says that we should have baked-in security, but dollars and cents say that we don't. As tech buyers we are as guilty as those companies that build or sell technology. Whether we are buying for ourselves or a giant enterprise, we want technology to be cheap, easy to use, and available now.

Our rush to buy, our distaste for measures like complicated authentication, and our penny pinching justify our tech suppliers' attitude of "just get it to market".

The sad part about what is happening right now with the IoT is that we've known from the start that the IoT presented an opportunity to do it right. We had a chance to redesign networks, build in authentication, and isolate unrelated devices and applications from each other. Instead, we get to wonder who can see what that security camera sees, and where that retail store beacon data really is going.

Maybe it's not too late to tighten up IoT security, to do it right from the start. Lets get off on the right foot by heeding the advice that Greg Reber shares in the A2 Academy on Thursday. Remember, cheap, easy, and available is no way to go through life.