||Tweet this page|
As the internet of things puts everything from TVs to fridges online, Gordon Holmes argues that security considerations are being ignored in the rush for profits
There's a new acronym on the street, folks, so you'd better get used to it. The term IoT (Internet of Things) is popping up everywhere atm (at the moment) and is set to become as ubiquitous as the BBC (British Broadcasting Corporation). OK, that's enough of that.
We touched on the subject last month when we spoke about smart TVs having the ability to listen to your conversations while waiting for you to issue a command. However, there is increasing concern among security researchers that the willingness of consumers to opt for the convenience of internet-connected stuff may also provide irresistible opportunities for the bad guys.
According to recent reports, even as we happily connect our fridge, thermostats, surveillance cameras and TVs to the internet, not a lot of thought is being put into the security of the data these devices transmit.
Researchers at HP Fortify have conducted a series of projects to examine the state of security in two classes of internet-connected consumer products. The first project looked at a number of consumer products, from TVs to home thermostats and alarm systems, and found an average of 20 vulnerabilities per system; the report can be found at tinyurl.com/hpiotstudy.
The second project examined home security systems, and found that 90 per cent of the devices collected personal information, 70 per cent transmitted data on an unencrypted network and 60 per cent had insecure user interfaces.
Eight out of ten of these systems didn't require you to specify a strong enough password when setting them up. In fact, the researchers found that it was relatively easy to brute-force the passwords of all the devices tested in order to gain control of the system. I'm hoping that these tests and their results receive the large amount of publicity that they deserve, and serve as a wakeup call to manufacturers to sort out their devices' security.
There is an initiative which aims to give help and advice to industry along these lines. The Open Web Application Security Project (OWASP, www.owasp.org) is a not-for-profit organisation dedicated to helping vendors who are interested in making common appliances and gadgets that are network- or internet-accessible. I wish them every success.
Certain politicians are lining up to dub the IoT the 'new industrial revolution' but, as we can see from the above, security considerations are playing second fiddle to the vast amounts of money that it's predicted the IoT will deliver. Last year Gartner, the information technology research and advisory company, predicted that the IoT industry could be worth $1.8 trillion - a truly breathtaking amount.
However, as all these new devices need to connect to the internet, the pressure to move from IPv4 to IPv6 will increase. As you may know, following the successful adoption of TCP/IP as the transmission protocol of choice, since the late 1980s we have been devouring IP address blocks as each of the Regional Internet Registries allocate IP addresses to ISPs. The number of available IP addresses is dictated by the Internet Protocol version 4 (IPv4) which is a 32-bit system that has a capacity of approximately 4.3 billion addresses, and our ever-increasing hunger for connectivity means that we are rapidly running out of numbers.
One fix that has been used for a number of years is Network Address Translation (NAT). This allows a single device, such as a router, to act as an agent between the internet and a local network, allowing a single IP address on the internet to represent an entire group of computers. This helps alleviate the demand for IP addresses in the short term, but this demand is set to explode as IoT devices proliferate.
The universal adoption of IPv6 will increase the number of available IP addresses from 4.3 billion to 340 undecillion - 340 followed by 36 zeros, or approximately 4,000 IP addresses for every man, woman and child on the planet. This should be enough to last us a while.
While moving over to IPv6 sounds like a great idea, we still have to overcome the hurdle that IPv4 devices will generally not speak to IPv6 devices, and this could be problem for some networks. The problem is being worked through and most devices are now being shipped with dual IP capability, so hopefully that particular problem will disappear as older internet-connected devices are replaced.
Let's imagine that all the connectivity and architecture problems have been solved, and that we are all running IPv6-compliant devices. Even now we still face the problem of the inbuilt security vulnerabilities of the IoT kit we have deployed, as shown by the researchers at HP. Now is the time to address these issues, before the explosion of IoT devices is upon us.
I have also asked my colleagues in law enforcement how the adoption of IPv6 would affect their work. Most cybercrime work focusses on network investigation. This is tricky enough with IPv4 networks, but the adoption of IPv6 is a complete game-changer which will make such investigation very difficult indeed.
So, next time you see a politician standing on his soapbox waxing lyrical about the new industrial revolution, make sure you have a pinch of salt handy. In fact, make that 3.4x10 to the power of 38 pinches.
For more, and to stay abreast of everything that's going on in the world of technology, Subscribe to Computer Shopper magazine today, and get your first 3 issues for just £1 »