One motto that I try to follow in my day-to-day activities is: “small is beautiful”. “Why?” you could say. Because in security, and in many aspects of our lives, sometimes, going slowly, or taking small bites is better than going full blast. It is really easy to adopt a new shiny technology, or throw cash at new systems that promises to help you manage your business way more efficiently. But are you sure it is the right thing to do for you, or your organization?
Not only are those kinds of promises usually over-inflated, but they sometimes can hide other problems that are difficult to analyze. First of all, it is not always that easy to implement a new technology, or a new system in a business. Especially if there are human resistance that might be involved. The cultural aspect of a technological evolution is way too often minimized by the technology vendors.
Secondly, and this is probably the most important point, the new technology that you are trying to implement in your daily business might be your worst enemy. Yeah, like Voltaire said, sometimes, perfect is the enemy of good.
This is especially true with all the technology that is emerging from the Internet of things world. As a quick reminder, the Internet of things correspond to the union of the Internet capacity with mundane objects that we are using daily. Right now, since it is so promising from a business perspective, you have a lot of companies who are trying to get into that market very quickly.
It is promising, because it is opening new applications to an existing market. For example, you could have different sensors in your home that would be able to “read” how your home reacts to the passage of time and temperature. Hence, it would be possible for you to detect problems before they happen and eventually “correct that”. Those sensors could, for example, avoid water leakage in your house by sending you an SMS when it is time to make an inspection.
In theory, this is great! In practice, well, that might be problematic.
The main problem is the fact that each time you connect an Internet device to your network, it is another door that might be used by a criminal to corrupt your connected devices. What does that mean? It means that the more devices you have on your network, the more your organization might be at risk. And, even though the device you plug seems safe, even though they are produced by a reliable company – not some weird Chinese mockup – there is always a slight possibility that it might host a zero-day vulnerability.
I know, I know, I am the former intelligence that guy that is extremely paranoid and, therefore, I am an alarmist. But the fact is that it is already happening. We have multiple reports of connected devices that are vulnerable against attacks. Only during the last DEFCON conference, a hacker’s contest lead to the discovery of 47 new vulnerabilities affecting 23 devices from 21 different manufacturers. This was done in a relatively short period, and it was done “for fun”. Now you can imagine what can happen to your organization if you are targeted by a motivated individual, or group. Considering the fact that there is literally a multiplication of vulnerabilities on devices considered to be part of the Internet of things phenomena right now, you should really be careful with your decisions.
Welcome to the Jungle
The real problem with the Internet of things is the fact that it is a real jungle out there. You have lots of companies that are trying to get a piece of this new market, as fast as possible, and who does not have the best experience with security. Adding to that, you have to take into consideration that this market is so new, that good security practices aren’t as good as they should be; there are no strict rules. So, all in all, you have a situation where everybody is rushing to a market that is widely unregulated. These are the best ingredients to have if you want to create a recipe for high-risk situations.
Does that mean that the Internet of things is a bad thing? Not at all. I do believe that we are going to see marvelous applications from this trend. But right now, it is probably way too early to jump into that train. I would wait if I were you. You know, just to be sure. 😉