Internet of Things

I've had a long-running argument with a friend that the Internet of Things can be a good thing. She is convince that it is the worst idea conceived by man, and will be the downfall of mankind. After reading the articles, I'm starting to see where she's coming from...although I think it can be repaired.

The motivations for the IoT is to make everything easier to access and smarter. Home controls that you can configure online. Dumpster sensors that make garbage collection more efficient. Cars that can talk to the internet. Even things like Echo and Alexa that listen and process everything you say, so they can respond to your wish immediately. You can have control over your own things from anywhere, which is quite convenient.

The main problem is, of course, security. If you can access that webcam remotely, how do you make sure no one else can? If your car can send and receive arbitrary data from the internet, how do you make sure your users don't download a virus? (Or at least, how do you guarantee that the virus can do no harm?)

So what should programmers do about security? In a perfect world, they would develop 100% safe code. But that will never happen. So they should insist on increasing security efforts to their managers, but ultimately, how much effort to spend on security is up to the company. Security requires a significant effort from a team of engineers; the company must decide to allocate these resources.

Because the companies decide how secure a product is, how much security is put into the device is directly proportional to how much consumers would care about a failure, because the more secure the thing is, the more expensive it is.

Therefore, cars seem relatively secure (despite the inflammatory articles). Consumers are hyper-sensitive to car hacking, and companies are even more so. I'm sure Ford has every possible incentive to make sure its cars are hack-proof. Imagine all Fords on the highway suddenly stopping, or veering off the road. It would destroy the company instantly. In this industry, interests are aligned; the industry sees the need to invest in security.

However, most IoT industries don't have this drive. They are pushed to create the "minimum viable product," always pushing down costs. As one article puts it, "Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things." Security becomes a second thought, because consumers don't seem to care about buying a cheap, insecure webcam.

Which brings up the idea of who is liable when breaches occur. Ideally, the company who made the item. This is obvious in the case of cars, but what if someone just set no password? Or had a really bad password? It's the user's fault, right? But what if the default is no password? Then the company is probably to blame. Also, how do you discover a webcam hack? You know if your car stops on the road, but how do you know that you're being watched? In short, companies should be liable, but the waters get really murky really fast.

I think the government needs to step in and regulate this industry. Have certain security requirements for anything that connects to the internet. (Although there might be an inherent conflict of interest with the surveillance discussion from last week...). The impact of an insecure IoT is frightening. With microphones and cameras, others could hear and see everything about your life. Whether that's hackers or the government, I think that's a dangerous road to walk down. Even the devices that don't have cameras/microphones could (and have been) used as a botnet. Those are two serious problems with an insecure IoT.

Overall, do I fear the Iot? Billions of interconnected devices? Yes and no. At the current pace of security, yes. I would not buy a smart home, webcam, Echo, or Alexa. I think security has the potential to improve, however. If meaningful strides are made, perhaps overseen by a new government agency (a few administrations down the line, I guess), I would trust a web of objects. But not today.