Thursday, 26 June 2014

Internet of things heading for a trainwreck

Many years ago I read The inmates are running the asylum. One of the early chapters pointed out that when you cross a computer with anything you get ... a computer. The intention of the chapter was to highlight terrible user interfaces for computers. 10 years later, I wonder what Alan Cooper would think of "The Internet of Things".

The Internet of Things is basically thing + computer + connection to the internet. Now with lower power chips, it's never been easier.  A Rasberry Pi is more powerful than the first computer I built. Slap on a customised linux distro, marry it to your 'thing' and you are away.

Is it a 'thing' or a computer?

The internet of things will add internet and computing power to things we know now. Thinks like lights, fridges, watches, power points ... well pretty much anything. We are used to interacting with these things in the same way that we interact with appliances. You plug them in, switch them on and they just work.

Appliances often have quite long life cycles. For example the fridge we own now used to belong to my wife's grandfather and must be over 20 years old.

This is very different to how we treat computers.

It's worth reviewing how computers have been used.

Computers - a brief review

Computers were once like appliances. You could buy something like a TRS-80, plug it in and use it. It didn't have any persistent storage. Programs were stored on cassettes or later on floppy disks.

Viruses

Early viruses would infect programs on a disk or the disk itself. The vector for infection was generally sneaker net. Someone would be infected with the virus from someone else when it came into contact with their infected disk. Infection far easier once computers started getting hard drives as the virus could infect any floppy disks that were inserted into the computer.

However the speed that viruses could spread was pretty limited by the way that they spread.

Networked - appliances meet Metcalf's Law

Metcalf's Law says "the value of a telecommunications network is proportional to the square of the number of connected users of the system". The short version is that computers get much more valuable when they are connected together. this is one of the great benefits that the internet of things promises.

What it does mean is that when all the computers are connected together, a virus (or any other sort of malware) can spread far faster. The most spectacular example of this was SQL Slammer, where it is estimated that almost all of the vulnerable systems were infected within 10 minutes of its release.

This has exposed the reality the all computer systems have bugs. Networked computer systems are exposed to all the malware and bad actors on that network. And the internet is a very, very large network.

Obsolete - appliances meet Moore's Law 

Moore's law (better stated as Moore's curves) is generally understood to say that computing performance doubles every 18 months. This is a phenomenally rapid rate of improvement. Imagine if kettles could boil water twice as fast every 18 months.

One impact of this is that computers have a relatively short lifespan when compared to other items. Most computers would be replaced within 5 years (by which time their replacement would be 8 times as fast).

Lifecycle of a computer

While computers started out as close to appliances, they now have a very different life cyle in two very key ways:
  1. They get updates to fix vulnerabilities to protect them from malware
  2. They live for less than 5 years

Back to the internet of things

My fear is that in the end these are all computers yet they are not being treated like computers. The problem here is computers are not like appliances.

Does your 'thing' get updates?

Will the manufacturer commit to providing software updates for the life of the 'thing' or just the warranty period? The company producing has a primary interest in selling the thing rather than the software driving the thing. Often that is their primary area of expertise. Typically the software is an afterthought. It's very likely that the 'thing' you buy will never receive updates.

It will be left running the same software it shipped with. Through the internet it will be exposed to all of hackers, crackers, tinkers, malware writers and cyber criminals. They will find holes that need patching and nobody will be there to patch them.

I'm not the only one worried about this sort of thing.

Conclusion

The internet of things is going to provide a stack of new devices that can get hacked.

It took 20 years to create the security lifecycle that we have today. How long will it take for the internet of things to catch up?

No comments:

Post a Comment