Data security firm IOActive recently announced it discovered a series of vulnerabilities in the popular WeMo Home Automation system. The system, developed by Belkin, uses WiFi and mobile internet to monitor and control home appliances and electronics, allowing users to operate their devices remotely. The gadget is an early example of the Internet of Things—the trend in technology that will ultimately connect billions of everyday devices from thermostats to utility grids.
But according to a report released this week, security flaws in the WeMo could open up half a million users to cyber attacks. The report claims these vulnerabilities could allow hackers to control devices, perform malicious malware updates, and even access an internal home network.
Mike Davis, IOActive’s principal research scientist, pointed out how the WeMo’s motion sensors might also allow criminals to remotely monitor occupancy within the home.
On its face the report is alarming, but the reality isn’t so scary. First of all, no such attacks appear to have occurred, and second, Belkin has already taken steps to beef up the security of its products. In many ways, the report just stokes fear of a world where digital information seamlessly merges with physical infrastructure.
As more and more "things" come online, the demands of keeping those devices secure grow rapidly. In a recent op-ed for Ars Technica, Peter Bright even quipped that the IoT may come to be known as the "Internet of unmaintained, insecure, and dangerously hackable things." Most can assume that, even if that scenario did come to fruition, consumers would just as soon ditch their connected ovens and smart locks.
"The idea that we don’t need or don’t want something today doesn't mean we won't want it tomorrow," says Michela Menting, a senior cybersecurity analyst at ABI Research.
That said, Bright makes a good point about one thing...
Business Insider recently reported that the number of "things" connected to the internet will reach 9 billion by 2018—up from the current estimate of 1.9 billion. To put that figure in perspective, it's roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs in use today. Gartner predicts the tally of connected things will surpass 25 billion by 2020.
The problem with that, according to Bright, is that many of the "dumb" devices that will soon be connected to the internet—from thermostats to coffee makers—haven't been subjected to the rigorous evolution of security protocols associated with standard connected devices. Said another way, hardware companies aren’t very good at writing software—let alone securing it.
It follows, then, that manufacturers—specifically appliance makers—need to be more diligent about securing their software. And that's something many of them are not accustomed to. The challenge is exacerbated by the need for what Bright claims would be a "lifetime of software fixes and updates," which appliance makers are not exactly wont to do.
Last November, the Federal Trade Commission hosted a workshop to discuss the security implications of the IoT. It was largely agreed that the major players behind home automation technologies "may not fully appreciate and account for the privacy and security of the embedded device, and simple vulnerabilities may allow hackers to break into devices."
Crucially, the FTC noted that such devices should not depend entirely on consumer WiFi and home networks being properly secured—something Belkin is absolutely guilty of in its securitization of the WeMo.
However, many of these security concerns are as myopic as the starry-eyed predictions of IoT zealots. For every doom-laden prophecy about an industry run amok with Mad Max-like cyber criminals, there’s a quixotic puff piece heralding the economic paradise just over the horizon, and the end of all human sadness.
A recent industry survey by UBM Tech and VDC Research found a huge variety of opinions regarding the potential vulnerability of IoT devices. More than half of respondents (52 percent) agreed that devices are "somewhat vulnerable," while 27 percent claimed they are either "not very" or "not at all vulnerable." Only 2 percent agreed that IoT devices are "extremely vulnerable."
That's not to suggest manufacturers should turn a blind eye to security, but it does suggest that the situation is not as dire as some would make it seem. Regardless, one thing is certain: Security demands will continue to rise in tandem with the proliferation of connected devices. And more importantly, those demands will take on increasing financial weight. Companies that aren't able to keep up with security will find themselves under pressure from both consumers and regulators, so the incentive to innovate and safeguard against hackers is real.
ABI's Menting agrees: "Security is a niche market," she told Reviewed.com in an email, "but it is selling well, and continues to grow exponentially. There’s no reason to think that people will not want to spend more to secure larger more expensive goods for the long term."
Many claims about the possibilities of a connected infrastructure read like science fiction—grandiose and often outright utopian. They describe a world where everything in your life is fully automated, where all of your devices know what you want and need before you do.
But do we really need a smart water bottle? How much does connectivity and app functionality improve upon a Nalgene bottle? Do we really need machines to tell us when to eat, or drink, or brush our teeth?
There's also a philosophical question here: By shoehorning "smart" functionality into a fundamentally simple device, don't you prevent yourself from having conscious interactions with that device? Said another way, replacing human, tactile operation of a device—be it a car, dishwasher, or coffee maker—with automated processes ultimately tends to leave you ignorant as to how it actually works.
Consider a coffee maker that monitors your sleep schedule and starts brewing five minutes after you wake up. Embedded in this concept is the assumption that more technology can improve upon any human-machine interaction, but it's an improvement that's so marginal as to hardly exist. Manually operating our coffee makers simply doesn't consume that much of our precious time and mental capacity. (And if you really think they do, Starbucks and Keurig machines are always at your disposal).
Over time, this learned reliance on automation has (at least in part) contributed to a lack of skills in the labor force—particularly when it comes to heavily mechanized processes. And yet the trend is celebrated by pundits as a means of "freeing our cognitive resources."
This thinking is widespread in tech culture, but many experts are beginning to warn against it. In an op-ed for The New York Times, Evgeny Morozov argued that this attempt to "bury technology" does a disservice to human intellect:
“Pick any electrical appliance in your kitchen. The odds are that you have no idea how much electricity it consumes, let alone how it compares to other appliances and households. This ignorance is neither natural nor inevitable; it stems from a conscious decision by the designer of that kitchen appliance to free up your ‘cognitive resources’...
“On many important issues, civilization only destroys itself by extending the number of important operations that we can perform without thinking about them. On many issues, we want more thinking, not less.”
Atoms and Bits
Still, there is a seemingly irresistible inclination to embrace the Star Trek–style promises of the IoT. Jim Stogdill, general manager of the upcoming IoT conference Solid, argued in a recent Wired interview that the arrival of the IoT should be perceived as something more like the industrial revolution than the digital revolution, in that it combines the traditionally disparate ecosystems of infrastructure and information.
"When the digital age began accelerating," Stogdill told Wired’s Glen Martin, "[MIT Media Lab founder] Nicholas Negroponte observed that the world was moving from atoms to bits—that is, the high-value economic sectors were transforming from industrial production to aggregating information.
"I see the Internet of Everything as the next step," he added. "We won't be moving back to atoms, but we'll be combining atoms and bits, merging software and hardware. Data will literally grow physical appendages, and inform industrial production and public services."
Indeed, this vision aligns with the larger narrative behind the IoT, which seems to oscillate between utopian promises of an automated infrastructure and the dystopian portents of privacy in exchange for security. The actual story is more complicated than either scenario—neither ominous nor fanciful.
To be clear, the IoT is a fundamentally revolutionary concept that will transform our relation to the physical and digital worlds, but the idea that society will fully succumb to the intoxicating prospect of mass automation seems dangerous, suspiciously utopian, and contrary to human nature. We may need to temper our expectations.