This is a guest post by Trevor Pott, professor emeritus of full-time nerdyness, systems administration, technology writing and consulting. Based in Edmonton, Alberta, Canada these days, Pott helps Silicon Valley start-ups better understand systems administrators and how to sell to them.
First off, I think we need to define what mean when we talk about the Internet of Things.
Some people talk of sensors, others about “wearable computing/quantified self” technologies and still others about “home automation.” I think that we can safely define “the Internet of Things” as the collection of computers – big and small, from sensors to satellites – that are largely unattended and/or unmanaged.
I think this is an important distinction.
A computer that receives regular management or is regularly used by a human is very likely to receive regular updates, to have its behaviour monitored and for compromises on those systems to be noticed. Unattended computers, however, are the “scut work” technological robots of our society. Largely ignored unless they break or we need something from them, they idle away for years without maintenance.
Here you could put sensors
From Google’s Nest to the array of sensors making sure oil pipelines keep working. Baseband Management Controllers (BMCs) that provide lights out management to servers are in this category; they are their own separate computer from the larger unit they serve and yet the BMCs themselves are frequently ignored and left un-updated.
Throw in security cameras, ATMs, even the VoIP phones on your desk or the “public phones” that adorn your local airport and you begin to glimpse the barest fraction of what we’re dealing with. There are hundreds of thousands of computers driving displays in cities all around the world. There are computers running – quite literally – planes and trains and automobiles.
A disaster with no realistic end
Wearables, iPods, even the army of computers in our cars are increasingly Internet connected (at least some of the time), and don’t get the kind of “patch Tuesday” TLC we afford our primary systems. It’s a disaster that has already happened, it will get worse, and I see no realistic end.
Internet of Things apocalypse, now
New standards, APIs, protocols and radio tricks aren’t going to make the Internet of Things less of an accelerating security – and privacy – apocalypse. Like any “movement” in computing, the Internet of Things is here, now, today. It is largely a reclassification of that which was already occurring, but has not become enough of an issue – and an opportunity – to earn a cute moniker.
There are literally tens of thousands of different models of device using thousands of APIs on hundreds of variants of the same 10 or so basic operating systems. Even if we stopped all development of new IoT computer systems tomorrow it would take us the next 50 or so years to find every installed unattended computer on the planet and secure it. And we’re adding new computers at a rate that simply cannot be measured.
Future systems need a fundamental change in approach. We need to build our IoT devices with the idea in mind that they are compromised by default. We need to be adding in hard firewalls with application layer gateways and whitelisting the possible commands (and possibly origin points of those commands) that the onboard computers of our IoT equipment will eve process.
We need automated update systems, automated monitoring. We need a means to do all of this and more while still protecting the privacy of individuals and corporations. As scare as the idea of someone turning your 50,000 IPv6 lightbulbs into a botnet that can form a platform launching real attacks against your corporate network is, the privacy implications of having every aspect of our lives monitored is so very much worse.
1984 cometh in 2014
Imagine what insurance companies – or governments – would do if they could track everything you eat, everything you excrete, how much of what exercise you’re getting, how much you pay attention when driving, how engaged you are when presented with various images/slogans/policies/pornography/”seditious materials”…you name it. Now consider that the technology to track all of that – and far, far more – not only already exists, much of it is in our homes and we don’t even realise.
Smart TVs have already been caught spying on us . Many come with cameras, and the XBox is equipped with not only cameras, but enough sensors to detect if your heart goes pitter pat that little bit faster when presented with blondes, or with redheads.
Start putting it all together, add in the fact that we’re all supposed to connect everything to “the cloud”, using our online identities, and storing all our information with the IT megaliths from the privacy-averse United States of America and I suspect you’ll be able to connect the dots. 20 years ago this would have been the stuff of dystopic science fiction. In fact, 15 years ago it would have been considered the ultimate in tinfoil hat paranoia.
Today, the panopticon is taking shape all around us. The only question that really remains is who will ultimately have access to the data; cyber criminals who only want your money, or corporations and governments who both desire a far more insidious and total level of control.
Nowhere in all of this do I see an out for the average man or woman. What are technologies embraced today only by a few “early adopters” will be mainstream in five years, socially mandatory in 10 and in all likelihood legally requisite in 25. Mark my words, we will look back on such gross social manipulation exercises as “think of the children” or “we need to fight the terrorists” with fondness. The quaint concepts of a more naive time.
We already live in a world where the average person cannot hope to defend their technological footprint against a targeted attack from even a mediocre cyber-criminal. A skilled practitioner of the arts can bowl over the defences of even trained professionals. We are adding millions, eventually billions of devices onto the internet to track our every move and we have just barely begun to think about how we might defend them.
If that isn’t bad enough, our future is one in which we will be monitored 24/7, and if we aren’t doing “our share” for society we will be penalised. Less tax breaks, higher insurance…who knows where that ends?
What can we do?
Short of refusing to participate altogether, we are facing the true end to privacy within our lifetimes. Not some .com airy-fairy concept that “the evil Google boogyman will see what you like and advertise at you.” We’re entering a world where anyone – criminal, corporation, government, spouse or more – with the motivation and skills will be able to tell what you are doing, how you’re doing it, and to what degree you’re enjoying it.
If you think I’m off my meds, remember that we can now use wifi to see through walls.
Imagine what I could do if I could log into an entire house full of wirelessly networked sensors and gizmos, all of which haven’t been updated in years? How many things in your house have infrared sensors? Your phone has how many sensors? Do you ever turn your XBox off?
The NSA is watching Ceiling Cat watch you masturbate, and within our lifetimes this will be the new normal. How will we cope with that world? How will our society deal with the idea that we have no secrets?
Companies like Supermicro are starting to invest in technologies to defend the next generation of devices. It’s a welcome gesture, but they are one company amongst many millions working on IoT devices. For every Supermicro out there doing yeoman’s work on behalf of the little guy, there are 100 others who just don’t care.
We cannot stop what is to come.
Human nature – our apathy, our greed, or feeling of collective impotence and need to shift blame – is what stands in the way. We are our own worst enemy and we will bring the panopticon upon ourselves. It won’t “get better”. We won’t suddenly get a handle on technology and slowly reverse a surveillance state that will have proven so politically and financially valuable to so many. It’s absurdly naive to even entertain the notion.
Our society will change to accept this as normal. Unlike some, I don’t think it will be a grandiose humanising revolution that will cause us to suddenly embrace one another’s differences. I think we will fracture, factionalise, become even more polarised and we will feel all the more helpless and out of control besides. We are sleepwalking into an era of voluntary servitude.
Criminals, corporations and our own governments will all have more “visibility” into our lives than our own spouses. And the only good the technologists of today can hope to do is to slow this inevitable future down. If we’re particularly lucky, it will be the legacy we leave future generations, but not one we ourselves have to live through.
In the meantime and betweentime, do try to enjoy the benefits of the IoT technologies. They are niche – and will continue to be for some time – but benefits do exist. These benefits are the carrot hiding the rather dark and ominous stick.