The coming Internet of Things revolution will see billions of devices, from fridges to traffic lights, connected and controllable from afar.
For Kevin Ashton, the tech entrepreneur and visionary who coined the term ‘Internet of Things’, the risk of devices being hijacked is exponentially greater than any cybersecurity threat we’ve encountered before.
“You can change the real world using the Internet of Things,” explains Ashton, who was in New Zealand last week to address the GS1 eCommerce Innovation Summit.
“If you are malicious, it isn't just about taking all the money out of someone's bank account. You can flip cars, you can shut down power stations, you can potentially make things explode.
“You could kill people with an Internet of Things security breach, which is not something you can do with a web page or data security breach.”
The warning signs have been there for years. In 2016, 230,000 Ukrainians were left in the dark when hackers took control of power network infrastructure, shutting down 30 power substations in the Ivano-Frankivsk region of the country. It was the first confirmed hack of a power grid.
That same year, a massive denial of service attack temporarily took Netflix, Amazon and Paypal and other popular web services offline, when hundreds of thousands of insecure routers and web cameras mainly in South America and South East Asia were hijacked to send massive amounts of internet traffic to the web servers on which those services rely.
The Mirai attack as it became known, wasn’t the work of a shadowy group of hardened cybercriminals, but three young computer programmers in the US who wanted to gain an advantage against their competitors in the massive online game Minecraft.
They scanned the internet for IoT devices that still had the manufacturer’s default settings and passwords and took control of them to create a botnet of devices to launch their attack.
Read more: How to not get hacked
“The Mirai botnet attack wasn’t overly sophisticated, however, was a smart and very calculated attempt at exploiting basic security flaws of connected devices,” says Tim Falinski, Asia Pacific senior director of the consumer division for security software maker Trend Micro.
The company has identified recycled code from the Mirai attack being used in the last year to target internet routers.
“This shows that the potential for this type of attack to happen again still exists especially if consumers overlook basic, yet crucial IoT security practices including changing the default passwords of their devices and securing their routers,” adds Falinski.
Trend Micro recently found that 42 per cent of router security incidents last year related to consumers not changing the default password on their router, reinforcing the importance of getting the basics right to bolster IoT security.
Beyond the barcode
It was a simpler world when UK-born Ashton first got involved in wireless communications over 20 years ago when he was a brand manager at Procter & Gamble.
Ashton was looking for ways to make the massive US consumer goods maker’s supply chain more efficient. Barcode scanners were widely used to identify packages as they journeyed down conveyor belts in factories.
But what if you didn’t have to see every single product that was being shipped, instantly identifying every item wrapped up in a pallet-load of products? The search for a better system led Ashton to Massachusetts Institute of Technology where he co-founded the Auto-ID Centre, to research sensor technology.
The centre’s goal was to create open standards to spur uptake of a fledgling technology called RFID (radio-frequency identification). It involved building small RFID tags or labels that could communicate information to a reader over the radio waves.
RFID is now widely used in supply chains and powers swipe card access to buildings and automatic identification at toll gates all over the world. The price of an RFID tag has dropped to below 5c each making it much more affordable and the read speeds of the tags has increased dramatically.
“What the likes of Amazon.com have been able to do is use automatic identification systems, sometimes using RFID, to massively speed up their supply chain and become a serious competitive threat to other retailers,” says Ashton.
But RFID was invented before the internet and cloud computing became all-pervasive. Ashton sees the Internet of Things as being its logical successor, where data is instantly transmitted to a cloud server rather than primarily between a radio tag and its reader.
Alexa is listening
The potential is endless and already we are seeing IoT proliferate in our homes. My Amazon Echo smart speaker can control the Nest security camera in my home as well as adjust the brightness of my Philips Hue lightbulbs.
Hundreds of companies are working to make their consumer electronics devices compatible so they can exist in the same IoT world, with control of all of them a voice command or finger swipe away. Ashton himself went on to found Zensi, a company making wireless sensors for monitoring electrical power, water, and natural gas. Zensi was sold to consumer electronics company Belkin in 2010.
Read more: Why concerns about smart speakers are real
Ashton takes a pragmatic stance on IoT device security.
“It's kind of a solved problem at the technical level. We know how to make these networks secure,” he says.
The real issue is what he describes as the 'old white man problem’ in many of the companies that are building and implementing IoT devices.
Senior managers often had an old-fashioned view of security and were reluctant to invest sufficiently to prevent cyber attacks they didn't regard as making their core IT systems vulnerable.
“Security isn't a one-time thing, security is every day,” he says.
“The policies and plans you need to keep your security updated can feel burdensome. It can feel like some of the risks you are guarding against are so unlikely that it's not worth the investment of time and money to guard against them.”
It means there’s a wide range of firmware and operating systems running on IoT devices, with security approaches varying across the board. For consumers picking up a smart speaker or buying an internet-enabled smart TV or washing machine, the security question is often lost on them.
“The most glaring IoT security concern currently is the misconception around what exactly a ‘connected’ device is amongst consumers,” says Falinski.
“Without having this understanding, consumers don’t have a comprehensive view of their network and aren’t taking all the necessary measures to protect their devices from cyber threats and cybercriminals.”
Ashton fears that it will take a truly major incident involving a failure of IoT security to force any change in the industry. But he has another concern: a lack of transparency around how data collected by the new wave of consumer IoT devices is stored and used.
“Your Echo is listening to you all the time. There might not be anything spooky or malicious about that, they are trying to improve the product,” he says.
“But if the government decides you might have committed a crime and they find out you have an Amazon Echo in your home or a Nest thermostat that knows when you came home, they may try to subpoena that information.”
“The more you put these things in your house, the more data will be collected.”
He wants to see simpler end-user agreements and labelling letting consumers know what security is being applied to their IoT devices and how the data generated by them is being used.
“Just as you have a nutrition label on foods now, there needs to be an equivalent for privacy and security on high-tech devices,” argues Ashton.
“You'd have a consumer with a product in one hand and a product in the other and be comparing what is this thing going to do to me. Then the free market gets to operate because consumers have enough comprehensible information in advance of making the purchase.”
5G bandwidth explosion
If the hype is to be believed, 5G or fifth generation mobile phone networks, set to arrive in New Zealand from the middle of next year, will fuel an explosion in the proliferation of Internet of Things devices.
But Ashton says existing 4G networks can adequately connect IoT devices, which by nature are “bursty” - they don’t require a steady stream of data transfer, but instead send small bursts to update the status of a device.
“If you want to watch an 8K video on your iPad while you are on the bus, 5G will be great for you,” he points out.
“The principal benefits of 5G are more efficient spectrum utilisation and lower latency, higher bandwidth delivery of data. None of that is relevant to the Internet of Things particularly.”
Falinski says that the low latency of these networks will mean denial of service attacks through to crypto mining and phishing attacks will spread more quickly if the right security isn’t in place.
“The 5G infrastructure is being built with security in mind, however if an attack did happen, the low latency of the network could mean that cybercriminals can operate faster and gain access to sensitive information instantaneously.”
The greater availability of bandwidth these networks enable will also serve to change the economics of supplying network connectivity to an increasing number of devices. A few years ago, connecting a smart meter in your home to monitor your electricity use required the device having its own data plan, even if it was only sending tiny amounts of data each day.
“Most cellphone operators have now moved to unlimited data plans as an option,” says Ashton.
“The technology has changed to make bandwidth less of a premium than it used to be. 5G is absolutely going to accelerate that.”
Data plans would be redesigned to cover all of the 5G-connected devices in your home and increasingly in your car as we move towards the introduction of autonomous vehicles.
Smart city security threat
But the real revolution in IoT won’t take hold in the home first, says Ashton. It will happen with infrastructure that makes up so-called smart cities.
When sensors are on every lamp post, IoT controllers in every electricity substation and sewerage treatment plant, the Internet of Things could serve to make the running of cities far more efficient.
But it also poses the most serious security threat as infrastructure becomes more networked and vulnerable to cyber attack.
A focus on security will be “of paramount importance,” says Ashton and can’t be left up to solely to industry to deliver. Governments would have to set the ground rules as IoT devices increasingly controlled the physical world.
“Unfortunately a lot of these regulatory decisions tend to be made by people who don't thoroughly understand the technology and they are very vulnerable to lobbyists,” he warns.
“You need to take the business case off the table by regulating for it.”