You've just returned home from a two-week Caribbean vacation. You're tanned, well-rested, and happy. You even got the bump to first class on your flight back home. Everything is great. As the plane lands and you turn on your smartphone, you connect to the "Internet of Things" via your home appliance app, to set the correct temperature in the house and turn on the outside lights. The funny thing is, there must be a problem with the app—it's reading 94 degrees inside your house! You get home, and the automatic garage door opener won't work. You walk into the house to find that, indeed, the house is like a sauna, all of your lights are on (and keep flashing on and off every 30 seconds), and your refrigerator has defrosted itself.
Is this just all fantasy and conjecture? Not really...Eric Vynke's session from RSA Conference 2014 provides a grim reality check that legitimizes this type of scenario. Once again, we see that the "Internet of things" continues to present a problem for security. As we've seen in the past few weeks, security flaws within devices that connect new things to the Internet that have never historically been connected—appliances controlled through home automation systems, premise lighting, sprinkler and lawn care systems, and cars—are showing up at an alarming rate, potentially placing people in physical jeopardy. Unlike in the past, when the concerns of information security professionals were on the "information" side of the equation, the Internet of things presents more concrete real-world problems. Now, instead of dealing with the loss or damage of simple data, we now have the distinct possibility of affecting actual, tangible people, places, and things.
Of course, something like the home automation scenario above is still relatively benign. When these same threats start affecting the greater power grid, water and sewage systems, transportation control systems (think rail and aviation systems, which, fortunately, are not yet Internet-standardized control mechanisms), and other infrastructure, we're going to have a much larger problem that affects a huge number of people. Moreover, these attackers are less likely to be casual hackers and much more likely to be either organized terrorist groups or nation-states.
So, what's the solution? One possibility is for manufacturers who are either moving traditional, closed-loop electromechanical equipment to commoditized, Internet-connected infrastructure, or creating new Internet-enabled connection points to bridge to devices (such as home automation systems) to focus on security as a critical product feature, not merely an afterthought that is secondary to other product capabilities. It's only when security gets pushed to the forefront of product development that it becomes most effective. From a consumer perspective, the answer is to be judicious about what you attach to the Internet; convenience is a valuable thing, but it needs to be balanced with an understanding of the risks those conveniences introduce. Finally, everyone—vendor, service provider, and consumer—needs to understand the basic concept of networking: if you connect it to the network (and particularly the Internet), you're essentially making it accessible to every single person in the world. And that's a difficult lesson to learn the hard way.