An Internet of Things wish list for 2016

I’ve been writing about the Internet of Things for a while now, both from the perspective of the great opportunities that the IoT offers and the very real pressure it will put on both security practice and legislation designed to protect our privacy.

While there is certainly plenty of legislation out there, especially in Europe, to protect citizen’s privacy online, it will be difficult, if not impossible, to apply much of it to the kinds of data that will be collected through billions of sensors watching our every move both in the home and when out and about.
Yet, if I think about what worries me most directly about the IoT, looking ahead to 2016, it’s that we’re within a hair’s breadth of messing it all up. Massively. Because, at some point in the very near future, the unstoppable force that is the desire to IoT everything will meet the immovable object that is our constant, almost willful, inability to keep data secure. And when those two collide, the resultant explosion could damage the adoption of good IoT technology for a long time.
Let me paint you a picture.

A manufacturer of smart toys, let’s call them SmartToyInc – introduces some kind of cool new gizmo – a smart teddy bear, an interactive nightlight, a cool new robot companion, or whatever. And, since SmartToyInc wants to build in as much “smarts” as possible with as little cost as necessary, they probably focus heavily on the cool new features and less on, say, building in enough processing power and extra battery life to encrypt data as it bounces around between the new toy, the controller (say Mom or Dad’s smartphone) and whatever other services it uses, such as speech recognition, update services, maybe some additional data services that can tell a story, or sing a song. Quite possibly, the device remembers what your child looks like or when they are in the room. In fact, the pressure to put more and more of these capabilities into the device in order to maintain the “wow” factor will undoubtedly drive the kind of excessive feature cramming we normally see reserved for luxury cars and, well, smartphones.

However, it happens, at some point, SmartToyInc is going to find itself with a lot of kids playing with their toys, and inevitably, a lot of their data. They’ll also want to start gathering data about parents, especially tasty morsels like credit card information so they can more easily bill them for additional widgets, content, and functions.

And then, the breach occurs. In an instant, SmartToyInc’s servers are cracked open – and now you’ve got everything from kid’s personal information to their parent’s addresses out in the wild in much the same way as what recently happened to VTech.

Even worse, what if the devices themselves are being manipulated by a nefarious group who knows how to hack simple devices and steal data from them?

The effect on people’s trust of the IoT would be chilling, to say the least. It’s one thing to worry that you might, under special circumstances, cause my car to suddenly switch off the engine. It’s quite another for a parent to start to mistrust the consumer devices in their very home.

Make no mistake, we’re right on the edge of that happening. Next year, we will see a land grab of historic proportions as more and more vendors reach into our homes, either with smart endpoints or centralizing eco systems, in an attempt to win as much of the potential IoT consumer market as possible. And the desire to be first, to be fastest, to cram in the coolest features has rarely sat well with security best practices. Annoying things – like authentication, encryption, patch management – tend to get left behind in the headlong rush to carpe the very lucrative diem.

But, if we get it wrong, if we allow too much excitement to blind us to the risks of not securing all those devices, as they become part of our home, then we collectively risk a backlash of equally historic proportions. Consumers, fearful that their data is being stolen and shared, will demand that governments “do something.” And they will, with predictably disastrous results – poorly worded laws, overly broad regulations, and a tendency to stifle innovation.

So, if someone is asking me about my 2016 wish list, it is to ask everyone to pause, just for a second, and think carefully about the devices we build and how we secure the data they collect. Because, the opportunity to self-regulate will be gone before we know it, and, we could face a bleak IoT world in 2017.